Results 1 to 7 of 7

Thread: what is gsdfgt.exe mean in wordpress blog.

  1. #1
    jakki's Avatar
    jakki is offline Directory Submission Service
    Join Date
    Mar 2009
    Posts
    963
    Blog Entries
    2
    Thanks
    146
    Thanked 90 Times in 74 Posts

    what is gsdfgt.exe mean in wordpress blog.

    Hi,

    Today i am checking my blog awstats and notice that i am got 38 visit by key phrase gsdfgt.exe.
    then i did a search on google with "gsdfgt.exe mydomainname.com " and i got this text message

    " 13 Apr 2010 ... C:\DOCUME~1\JKI\LOCALS~1\Temp\gsdfgt.exe. The NTVDM CPU has encountered an illegal instruction. CS:054a IP:018f OP:63 68 61 72 73 Choose ..."


    and when i visit that url i got page not found error.

    So can anyone explain me what is gsdfgt.ext

    it is virus or any other headache ?
    Premium Directory :: PR4 Submit Your Link
    Lamrod.org :: Best Product Review and Price Comparison Site One LD :: PR1 Directory



  2. #2
    5starpix's Avatar
    5starpix is offline Senior Net Builder
    Join Date
    Dec 2008
    Location
    Montreal, Quebec
    Posts
    1,710
    Blog Entries
    9
    Thanks
    158
    Thanked 227 Times in 164 Posts
    Netbuilders shows up first for the search term "gsdfgt.exe".

    This usually happens in the Windows systems.

  3. #3
    xxtoni's Avatar
    xxtoni is offline xxtoni
    Join Date
    Jan 2010
    Posts
    353
    Thanks
    16
    Thanked 42 Times in 34 Posts
    Quote Originally Posted by jakki View Post
    Hi,

    Today i am checking my blog awstats and notice that i am got 38 visit by key phrase gsdfgt.exe.
    then i did a search on google with "gsdfgt.exe mydomainname.com " and i got this text message

    " 13 Apr 2010 ... C:\DOCUME~1\JKI\LOCALS~1\Temp\gsdfgt.exe. The NTVDM CPU has encountered an illegal instruction. CS:054a IP:018f OP:63 68 61 72 73 Choose ..."


    and when i visit that url i got page not found error.

    So can anyone explain me what is gsdfgt.ext

    it is virus or any other headache ?

    probably a virus of some sort,http://www.virustotal.com upload the file here and see what it says

  4. #4
    Mike-XS's Avatar
    Mike-XS is offline XeroAgent
    Join Date
    Sep 2009
    Location
    OZ
    Posts
    209
    Thanks
    30
    Thanked 109 Times in 71 Posts
    Hi Jakki. This file gsdfgt.exe is related to something very huge and very bad.

    So can anyone explain me what is gsdfgt.ext
    gsdfgt.exe seems to be one of the files created by a very nasty P2P Worm called Peerfrag [Nod32] also known as Palevo [Kaspersky].

    Basically it copies itself to the recycler and auto runs from the recycle bin. It's a usb drive infector, backdoor trojan, msn messenger / p2p network worm.

    It's also a spambot which can be controlled via IRC.

    It creates scheduled tasks and checks for updates every hour and auto runs the exec every hr as well. It also makes connections to sites related to fake antivirus hijacks.

    --------------
    File analysis:
    --------------
    Virustotal. MD5: 4e84e8259340641f1f9930d0f4d677bd Infostealer.Banker.C Heuristic.LooksLike.Win32.Suspicious.B Worm.Generic.102961
    Malware Fix: Win32/Peerfrag.FD
    Worm/Palevo.rxq - Full description

    --------------

    " 13 Apr 2010 ... C:\DOCUME~1\JKI\LOCALS~1\Temp\gsdfgt.exe. The NTVDM CPU has encountered an illegal instruction. CS:054a IP:018f OP:63 68 61 72 73 Choose ..."
    The NTVDM error part means the exe file was probably corrupt or it was run on an incompatible operating system.
    -
    What is worrying is that there are also zeus / zbot connections in the file analysis logs.

    So a good question is why is this showing up in your Awstats logs.

    As you can see from this analysis log -> Autovin � File Analyzer: 69edf4a9681fa97752d98b67b57f950efb03ce9e , the infection downloads more files from various sites and contacts a lot of different IP's, even loads ads, it's possible your server may be infected or there is a site on the server which has been infected.

    By comparing the files and IP's from the log analysis for Peerfrag with other recent malvertising events we can say that this also looks to be connected to the recent Network solutions and Godaddy server hacks - http://stopmalvertising.com/malverti...blogs-affected , which has also been connected to Zbot - Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: GoDaddy's Mass WordPress Blogs Compromise Serving Scareware

    If you are running ad yieldmanager or xtendmedia ads on your site you may be directly infecting people or you are part of spreading the infection. There are ad rotators involved which usually combined with geotargeting makes things even harder to detect.

    Last week it was rightmedia who were caught spreading malware though their ads.
    http://stopmalvertising.com/malverti...xtreme-caution
    http://stopmalvertising.com/malverti...inccom-payload

    Take note, all these ad companies are owned by yahoo. They just don't check things properly, I think they see the $$$ just fine but that's about it.


    Can you please send me the name of your site to check that it hasn't been hacked / compromised. Wordpress is the main target for these hacks.
    This is especially important if you are using either Network Solutions, Dreamhost or Godaddy as your webhost.

  5. Thanked by:

    5starpix (14 May, 2010), Aziz (30 April, 2010), jakki (30 April, 2010), javanx3d (30 April, 2010)

  6. #5
    Mike-XS's Avatar
    Mike-XS is offline XeroAgent
    Join Date
    Sep 2009
    Location
    OZ
    Posts
    209
    Thanks
    30
    Thanked 109 Times in 71 Posts
    Jakki because you are hosted at Godaddy you have probably been a victim of the recent mass server hacking.

    Please scan your site with this tool to get a detailed report of any currently infected & hacked files:

    Sucuri Web Integrity Monitoring

    I found your site theme had files which appears to be infected:

    wp-content/themes/GrooveGreen/menu/mootools-1.2.1-core-yc.js
    The MenuMatic.js is also detected.

    More info from a previous hack using the menumatic file:
    the file /js/MenuMatic_0.68.3.js did load the infected script so look for onInit_begin: (function () {F65a045b3()})
    - note: the name of the function will be different and match the function name in mootools-1.2.1-core-yc.js

    code has been added under Class definition: in MenuMatic_0.68.3.js
    Three other commonly infected files with this server hack are :
    •/wp-includes/js/tinymce/themes/advanced/skins/wp_theme/img/style.css.php
    •/wp-includes/functions.php
    •/wp-includes/http.php
    There could be other files and things could change as the infections are cleaned up and then the site is reinfected. Network solutions has been getting rehacked every weekend lately, so I don't think this problem is going away anytime soon.

    Be prepared for the weekends, that's when the hackers strike because no one is usally able to respond to the problems and damages they cause until at least monday leaving them two full days to mass infect people.

    --

    Please check this for details about the hack and how to clean things up:
    http://www.wpsecuritylock.com/cechri...dy-case-study/

    The script used to infect people has been updated and changed since the hack was first described in the article above, so you may have different files affected.
    Your site is still infected and the malicious files could be updated anytime.

    WordPress blogs hosted on Go Daddy and other hosting companies were hacked by another malicious attack on April 24, 2010 at 6:54am.
    A nasty little exploit has hit a large number of Go Daddy-hosted WordPress blogs this weekend. The best part is that the exploit only executes when the traffic is referred by Google, making it the sort of thing that site maintainers won't easily notice. Clever and devious.
    --

    Important: You should be very careful that you haven't been infected yourself. Do a full virus scan etc.
    Last edited by Mike-XS; 30 April, 2010 at 00:10 AM.

  7. Thanked by:

    5starpix (14 May, 2010), Aziz (30 April, 2010), jakki (30 April, 2010), javanx3d (30 April, 2010), Will.Spencer (9 May, 2010)

  8. #6
    jakki's Avatar
    jakki is offline Directory Submission Service
    Join Date
    Mar 2009
    Posts
    963
    Blog Entries
    2
    Thanks
    146
    Thanked 90 Times in 74 Posts
    Hello mike,

    Thanks you a lot for writing a great info post and thanks a lot for your time.

    I am going to replace that file with default file and hope this will solve my problem..
    Premium Directory :: PR4 Submit Your Link
    Lamrod.org :: Best Product Review and Price Comparison Site One LD :: PR1 Directory



  9. #7
    Mike-XS's Avatar
    Mike-XS is offline XeroAgent
    Join Date
    Sep 2009
    Location
    OZ
    Posts
    209
    Thanks
    30
    Thanked 109 Times in 71 Posts
    It's unfortunate that Godaddy have placed the blame on everything and anything they can find and totally ignore the fact that their servers are insecure.

    They simply do not seem to care about their customers enough to take things seriously. Once a large proportion of users leave Godaddy over these repeated hacks, maybe they will reconsider looking into where the real problems are.

    It's amazing that one of Godaddy's own customers had to do the hard work to find out why his and everyone else's sites continue to be mass hacked.

    While GoDaddy was busy blaming its users, one of our friends got tired of getting hacked and setup a cron script to monitor his site and alert him when new files were added.
    I called GoDaddy and they insisted it was a problem in my code. Although I knew they were wrong, there was really nothing I could do.
    Godaddy is aware of this, but they continue to try to deflect the blame onto others. They even lie. They deleted a file from my site that had "good" base 64 encoded code, then claimed they didn't do it.
    -> Sucuri Security: Found code used to inject the malware at GoDaddy


    Most people who have tried to deal with the ignorant Godaddy technical support are now recommending that everyone run as fast as you can away from Godaddy and find another host.

    More info:
    Hosting With GoDaddy? Might Want To Rethink That Decision. | Smackdown!

    These hacks affect network solutions and dreamhost, maybe many other hosts too, but the hacks won't ever stop at Godaddy until they take responsibility for the insecurity of their own infrastructure.

    I hope you aren't stuck with Godaddy hosting Jakki. As the other web hosts have already realised and admitted, this is not a wordpress vulnerability, or because of out of date scripts. These mass hackings are due to insecure shared server configurations and it's been proven now that nothing you can do to protect your site will have any effect to stop the hacks from continuing.

  10. Thanked by:

    5starpix (14 May, 2010), Sami4u (14 May, 2010)

Similar Threads

  1. Wordpress A Good Blog For Seo?
    By Lee Lawson in forum Wordpress
    Replies: 32
    Last Post: 4 July, 2013, 19:12 PM
  2. [WTS] Hoover Wordpress Blog (Unquie Wordpress Theme)
    By Marcell Purham in forum Themes
    Replies: 0
    Last Post: 15 December, 2009, 20:36 PM
  3. Wordpress Blog Hacked
    By elishevadpw in forum Wordpress
    Replies: 23
    Last Post: 7 February, 2009, 09:08 AM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •