Last night my computer started behaving strangely, everything froze up and when I tried to close some windows about two dozen small gray windows opened, one after the other in a cascade, all saying the same thing, something about Visual Basic C++ runtime errors.

I could not shut anything down the normal way so I tried to use the Task Manager, but after hitting Ctrl+Alt+Del an error message came up saying Task Manager has created errors and will be closed by Windows. After clicking OK on the Task Manager error message, ALL the open windows closed, AND Zone Alarm Pro vanished from the tray.

At this point I disconnected from the internet and reopened ZA to look at the Alerts log. Lo and behold, it showed there were hundreds upon hundreds of attempts by "explorer.exe" to make an outgoing connection to a certain IP address and "gawab.com" which is a web-based free email service.

Fortunately I had just updated all my security apps - NAV, Spybot S&D, AdAware, PestPatrol and SpySweeper - and ran full system scans with each of them in sequence. Nothing very bad came up until I ran SpySweeper, which found "Acid Shivers" trojan horse and "Sc-keylog". I thought it was odd that PestPatrol or Spybot didn't find these.

Before allowing SpySweeper to make any changes, I looked up how to remove those two pests. None of the files or registry entries they are supposed to add were present on the computer. And SpySweeper said it's going to remove these registry entries which were not present in the registry when I searched for them. I let SS do its thing anyway.

Now, the really strange thing is that according to what I read about "Acid Shivers" it first of all doesn't run under Windows2000 (well, maybe there's a "new and improved" version?) and secondly, even though I could find no evidence of the program anywhere in my computer, the behavior reported in the ZA Alerts seemes to indicate that this pest was indeed present.

So now I have no idea WTF is going on. Can anyone tell me?

I am sure some one will tell you to post the normal Highjackthis log lol
In the early days, Pepik wa adding some keyloggers but I have not been part of that scene for some time now so I don't know if he still does or not.
If he is, Send the sample to him and it will get added. In general, Spybot is not an AV, AT or firewall. It is a Spyware removal tool with extra hijcak protection and his addition of the Keylogging DEF's was only an extra perk added to an allready good program.

con

Should I post it in this thread?

-{ Quote: "Should I post it in this thread?" }-

No, post your HJT log in the Hijack cleaning forum.


snowbound

Also please follow these instructions first,

http://www.wilderssecurity.com/showthread.php?t=15913


snowbound

Done.

http://www.wilderssecurity.com/showthread.php?t=37217

I just check my Zone Alarm Alerts log again, and it shows 68 blocked attempts this morning of "explorer.exe" trying to make outgoing connection to same IP address as last night.

This means you have a trojan (or at least adware) injected into explorer.exe

Please contact me if you want further assistance, I'd suggest you email that explor~2.dll as well > submit@diamondcs.com.au

According to ZA there were a total of 584 attempts by "explorer.exe" to connect to 204.97.230.39 and smtp.gawab.com in less than 24 hours, and at least half of that time I was offline.

I installed and ran Ewido. The scan of just my C: drive took 97 minutes and it didn't find anything.

I found another app, Trojan Hunter, which I downloaded, installed, updated and ran. The scan (it took less than 10 minutes) found a suspect file called explorerhk.dll which I let it go ahead and rename. As soon as this was done, the aforementioned outgoing connection attempts stopped occurring.

Before running Trojan Hunter, I had found a reference on another forum to explorer.exe possibly being a trojan if it is located outside of the C:\windows folder. So I looked everywhere else for that file, and found several suspicious files in C:\WINNT\system32, including explorerr.exe (note the double "r") and explorerhk.dll, plus an explorer.exe, 384kb in size, with its own icon that looks like a filmstrip from a camera.

All these suspicious files had a creation date of June 19, 2003 (not 2004) @ 7:09:05 p.m., which time is just before the trouble began this past Saturday. Do you want me to send them all? Should I put them in an encrypted zip file?

I am not sure what you mean by "injected into explorer.exe" and I did not see a file called explor~2.dll.

Hi Suzuko, An ordinary .zip file will do - Send them all and Gavin will advise. :)

The package has been sent. I will be looking forward to hearing the findings.

OK, Perfect Keylogger was on my PC. I thought it was all gone, and then I saw its icon at the bottom of a page I was working on. I have attached a cropped screenshot.

I deleted all the files this program had installed out of the WINNT\System32 folder. Then the next day while browsing online, suddenly this Perfect Keylogger window - like the one I have attached below (only then it said Three Days, not Two) - appeared "out of nowhere."

Today when the PC booted up, the PK window appeared on the desktop. I figured, what the heck, I'll see what it's about, and clicked the Continue Evaluation button, which caused the error message in the 3rd screenshot attached below.

Here's the 2nd screenshot:

Here's ss#3:

The image in Internet Explorer is the Perfect Keylogger IE plugin, TDS should detect this. Make sure you have the latest databases, then scan and delete all trojans found as Keylog.Perfect

-{ Quote: "delete all trojans found as Keylog.Perfect" }-

With all do respect!!!!! but I would delete all trojans... ;)


couldn't let this one slip...

-{ Quote: "With all do respect!!!!! but I would delete all trojans..." }-

;D ;D