HijackThis Log

Discussion in 'adware, spyware & hijack cleaning' started by scole98, Mar 24, 2004.

Thread Status:
Not open for further replies.
  1. scole98

    scole98 Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    8
    When trying to open my home page I receive the following message:

    "Detected SPYware! System error #384" and various other details about a remote computer gaining access to my computer.

    Whereas I would normally click on the IE icon on my desktop to connect to the net, this no longer brings up the dial-up connection box. I am, therefore, having to go through my dial-up networking folder to log on to the internet, but the trouble with this is, that the connection window that appears minimizes itself almost instantaneously so I have to be double quick with the mouse!!

    I have run an online virus scan (Panda Activescan) and have also run Ad-aware. Below is my HijackThis log.

    I would be most grateful if someone could take a look at this for me and advise what remedial action I should take. Many thanks.

    Logfile of HijackThis v1.97.7
    Scan saved at 20:39:02, on 24/03/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\SCREENDRAGON VS3\SCREENDRAGON VS3 TASKBAR.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
    C:\PROGRAM FILES\ACD SYSTEMS\DEVDETECT\DEVDETECT.EXE
    C:\WINDOWS\REG32.EXE
    C:\WINDOWS\SVCHOST.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\WINDOWS\SYSTEM\SR64\OEAMIHEJ.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\MY DOCUMENTS\SIMON\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.101.250/sbms/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://216.65.101.250/sbms/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://216.65.101.250/sbms/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://216.65.101.250/sbms/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://drvvv.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://216.65.101.250/sbms/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [cursor] "C:\Program Files\Screendragon VS3\Screendragon VS3 Taskbar.exe"
    O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\COMMON\SWTRAYV4.EXE
    O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
    O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg32.exe
    O4 - HKLM\..\Run: [Online Secuirity] C:\WINDOWS\svchost.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.net/
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://64.157.10.150/diallerfiles/031436.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi scole98,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.101.250/sbms/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://216.65.101.250/sbms/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://216.65.101.250/sbms/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://216.65.101.250/sbms/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://drvvv.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://216.65.101.250/sbms/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

    O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg32.exe
    O4 - HKLM\..\Run: [Online Secuirity] C:\WINDOWS\svchost.exe

    O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://64.157.10.150/diallerfiles/031436.exe

    Then download and run CWShredder written by Merijn (creator of HijackThis)
    Use the Fix button and follow the instructions provided by the program.

    Reboot after doing so, preferably into safe mode and delete:
    C:\WINDOWS\secure.html
    C:\WINDOWS\reg32.exe
    C:\WINDOWS\svchost.exe

    Regards,

    Pieter
     
  3. scole98

    scole98 Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    8
    Thanks for the advice Pieter.

    I have done as instructed, but was unable to find either of the following to delete:
    C:\Windows\reg32.exe
    C:\Windows\svchost.exe

    Below is a copy of an up-to-date HijackThis log, which I ran after following your instructions.

    Logfile of HijackThis v1.97.7
    Scan saved at 21:50:47, on 24/03/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\SCREENDRAGON VS3\SCREENDRAGON VS3 TASKBAR.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
    C:\PROGRAM FILES\ACD SYSTEMS\DEVDETECT\DEVDETECT.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\SR64\FBBGGGFE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\MY DOCUMENTS\SIMON\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [cursor] "C:\Program Files\Screendragon VS3\Screendragon VS3 Taskbar.exe"
    O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\COMMON\SWTRAYV4.EXE
    O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.net/
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

    Thanks for your time.
    Simon
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    i'm pretty sure this is some sort of morphing baddie
    C:\WINDOWS\SYSTEM\SR64\FBBGGGFE.EXE
    if you look at your first log it was C:\WINDOWS\SYSTEM\SR64\OEAMIHEJ.EXE

    I can't see any obvious start up for it

    please do this

    go to http://www.kaspersky.com/remoteviruschk.html
    click on browse and paste this line into the box and press ok C:\WINDOWS\SYSTEM\SR64\FBBGGGFE.EXE

    post back with the results
     
  5. scole98

    scole98 Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    8
    Results of scan:

    Current object: FBBGGGFE.EXE

    FBBGGGFE.EXE Packed: PECompact
    FBBGGGFE.EXE Ok


    Statistics:
    Known viruses: 84632 Updated: 25.03.2004
    File size (Kb): 19 Scan time: 00:00:01
    Speed (Kb/sec): 19 Virus bodies: 0
    Archives: 0 Packed: 1
    Folders: 0 Files: 1
    Suspicious: 0 Warnings: 0

    Hope this helps.
     
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi scole98,

    Welcome to Wilders.

    Download this Zip File.
    Unzip it to the desktop.
    Be sure to have at least one internet explorer open.
    Double click on the runme.bat
    Notepad will open with a log in it.
    Please copy and paste the log into this post.

    Regards,
    Kent
     
  7. scole98

    scole98 Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    8
    Thanks Kent, the log follows:


    Module information for 'IEXPLORE.EXE'
    MODULE BASE SIZE PATH
    PLUGIN.OCX 1ec0000 98304 C:\WINDOWS\SYSTEM\PLUGIN.OCX
    COMDLG32.DLL 7fe10000 184320 C:\WINDOWS\SYSTEM\COMDLG32.DLL
    ACTXPRXY.DLL 7f7d0000 86016 C:\WINDOWS\SYSTEM\ACTXPRXY.DLL
    MSHTMLED.DLL 7acf0000 245760 C:\WINDOWS\SYSTEM\MSHTMLED.DLL
    JSCRIPT.DLL 7c250000 483328 C:\WINDOWS\SYSTEM\JSCRIPT.DLL
    IMM32.DLL bfe20000 16384 C:\WINDOWS\SYSTEM\IMM32.DLL
    MSLS31.DLL 7a410000 163840 C:\WINDOWS\SYSTEM\MSLS31.DLL
    MSHTML.DLL 7ad30000 2359296 C:\WINDOWS\SYSTEM\MSHTML.DLL
    SENSAPI.DLL 77f20000 20480 C:\WINDOWS\SYSTEM\SENSAPI.DLL
    MYDOCS.DLL 792f0000 69632 C:\WINDOWS\SYSTEM\MYDOCS.DLL
    MSXML.DLL 79350000 516096 C:\WINDOWS\SYSTEM\MSXML.DLL
    RNR20.DLL 783c0000 61440 C:\WINDOWS\SYSTEM\RNR20.DLL
    RASAPI32.DLL 7f880000 217088 C:\WINDOWS\SYSTEM\RASAPI32.DLL
    SECUR32.DLL 7f870000 40960 C:\WINDOWS\SYSTEM\SECUR32.DLL
    MSVCRT20.DLL 7fc30000 282624 C:\WINDOWS\SYSTEM\MSVCRT20.DLL
    SVRAPI.DLL 7f950000 32768 C:\WINDOWS\SYSTEM\SVRAPI.DLL
    MSNET32.DLL 7fb00000 77824 C:\WINDOWS\SYSTEM\MSNET32.DLL
    MSPWL32.DLL 7fb40000 40960 C:\WINDOWS\SYSTEM\MSPWL32.DLL
    TAPI32.DLL 7f960000 122880 C:\WINDOWS\SYSTEM\TAPI32.DLL
    MPR.DLL 7fbf0000 57344 C:\WINDOWS\SYSTEM\MPR.DLL
    MSAFD.DLL 7b410000 45056 C:\WINDOWS\SYSTEM\MSAFD.DLL
    NETAPI32.DLL 7f990000 20480 C:\WINDOWS\SYSTEM\NETAPI32.DLL
    NETBIOS.DLL 7f840000 32768 C:\WINDOWS\SYSTEM\NETBIOS.DLL
    WSOCK32.DLL 75fa0000 40960 C:\WINDOWS\SYSTEM\WSOCK32.DLL
    MSWSOCK.DLL 794d0000 86016 C:\WINDOWS\SYSTEM\MSWSOCK.DLL
    WS2_32.DLL 76000000 73728 C:\WINDOWS\SYSTEM\WS2_32.DLL
    WS2HELP.DLL 75fe0000 24576 C:\WINDOWS\SYSTEM\WS2HELP.DLL
    MLANG.DLL 7b760000 487424 C:\WINDOWS\SYSTEM\MLANG.DLL
    SHDOCLC.DLL 77d50000 356352 C:\WINDOWS\SYSTEM\SHDOCLC.DLL
    URLMON.DLL 77030000 450560 C:\WINDOWS\SYSTEM\URLMON.DLL
    VERSION.DLL bfe70000 24576 C:\WINDOWS\SYSTEM\VERSION.DLL
    RPCRT4.DLL 7fb90000 335872 C:\WINDOWS\SYSTEM\RPCRT4.DLL
    ACROIEHELPER.OCX cb0000 32768 C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    OLEAUT32.DLL 77980000 610304 C:\WINDOWS\SYSTEM\OLEAUT32.DLL
    SR32.DLL 10000000 24576 C:\WINDOWS\SYSTEM\SR64\SR32.DLL
    IMAGEHLP.DLL 7cc00000 118784 C:\WINDOWS\SYSTEM\IMAGEHLP.DLL
    MSVCRT.DLL 78000000 286720 C:\WINDOWS\SYSTEM\MSVCRT.DLL
    SHFOLDER.DLL 71a20000 32768 C:\WINDOWS\SYSTEM\SHFOLDER.DLL
    WININET.DLL 76280000 458752 C:\WINDOWS\SYSTEM\WININET.DLL
    BROWSELC.DLL 7f400000 45056 C:\WINDOWS\SYSTEM\BROWSELC.DLL
    BROWSEUI.DLL 7f330000 802816 C:\WINDOWS\SYSTEM\BROWSEUI.DLL
    OLE32.DLL 7ff20000 790528 C:\WINDOWS\SYSTEM\OLE32.DLL
    SHDOCVW.DLL 77c60000 942080 C:\WINDOWS\SYSTEM\SHDOCVW.DLL
    SHELL32.DLL 7fcb0000 1400832 C:\WINDOWS\SYSTEM\SHELL32.DLL
    COMCTL32.DLL bfe90000 573440 C:\WINDOWS\SYSTEM\COMCTL32.DLL
    IEXPLORE.EXE 400000 77824 C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    SHLWAPI.DLL 70bd0000 278528 C:\WINDOWS\SYSTEM\SHLWAPI.DLL
    USER32.DLL bff50000 69632 C:\WINDOWS\SYSTEM\USER32.DLL
    GDI32.DLL bff20000 155648 C:\WINDOWS\SYSTEM\GDI32.DLL
    ADVAPI32.DLL bfe80000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL
    KERNEL32.DLL bff70000 471040 C:\WINDOWS\SYSTEM\KERNEL32.DLL

    Regards,
    Simon
     
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    despite kapersky giving it the all clear it must be bad, as I don't know any good files that morph like that

    please copy this file C:\WINDOWS\SYSTEM\SR64\FBBGGGFE.EXE

    and send it to the email address listed on the spykiller site in my signature so we can try and find out what it does.

    once we knowe something, we will be able to fix it
     
  9. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    I totally agree. I had Simon post the log above to see if I saw anything suspicious attached to IE, but the log looks OK.

    The only thing I see left is that morphing file....

    Regards,
    Kent
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    in fact can you try and copy everything in this folder C:\WINDOWS\SYSTEM\SR64 and send it. I am sure there must be another file in there as well causing trouble
     
  11. scole98

    scole98 Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    8
    Thanks, just e-mailed..... interestingly I couldn't locate the file in windows explorer, but managed to through MS-DOS Prompt. When I did a directory search under C:\WINDOWS\SYSTEM\sr64 I found the following:

    DJPIEHMA EXE 19,105 21/03/04 19:48 djpiehma.exe
    SR32 DLL 7,168 24/03/04 21:47 sr32.dll
    ELHCCPCH EXE 19,105 21/03/04 19:48 elhccpch.exe
    DCOHGIAG EXE 19,105 21/03/04 19:48 dcohgiag.exe
    FKMLCOKL EXE 19,105 21/03/04 19:48 fkmlcokl.exe
    IBOFDJAA EXE 19,105 21/03/04 19:48 ibofdjaa.exe
    OCOKNAMO EXE 19,105 21/03/04 19:48 ocoknamo.exe
    MLJPJDHD EXE 19,105 21/03/04 19:48 mljpjdhd.exe
    OJLLLPNG EXE 19,105 21/03/04 19:48 ojlllpng.exe
    AKLHLGFL EXE 19,105 21/03/04 19:48 aklhlgfl.exe
    ALLDFJMO EXE 19,105 21/03/04 19:48 alldfjmo.exe
    FNDBNLPH EXE 19,105 21/03/04 19:48 fndbnlph.exe
    OEAMIHEJ EXE 19,105 21/03/04 19:48 oeamihej.exe
    FBBGGGFE EXE 19,105 21/03/04 19:48 fbbgggfe.exe

    Both files (pre and post-morph) are present. Any ideas?!?!

    Thanks,
    Simon
    ps. I'd better sign off for the night, got to work tomorrow!
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I need the sr32.dll as well please

    the others are all morphed copies by the looks of it

    I have submitteed it to Kapersky for urgent analysis and should get a feedback during the nigght,

    I'll post as soon as I hear, probably in the morning
     
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I've just had this reply back from The TDS deveklopers so it looks a nasty little so & so
    Its a trojan proxy I think, am looking closely but tends to look like one
    Definitely a trojan, injects that DLL into all and new processes and will crash a lot, including TDS-3

    Best idea would be remove all files from that folder in Safe Mode

    so do this please

    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is

    checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all

    folders"
    Click "Apply" then "OK"

    then
    delete this folder C:\WINDOWS\SYSTEM\SR64

    reboot & post a new hjt log to check please
     
  14. scole98

    scole98 Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    8
    Thanks for your help Derek, I have done as instructed and now post an up-to-date HijackThis log below.

    Apologies for the delay on this, I've been at work all day!

    Logfile of HijackThis v1.97.7
    Scan saved at 18:44:12, on 25/03/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\SCREENDRAGON VS3\SCREENDRAGON VS3 TASKBAR.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
    C:\PROGRAM FILES\ACD SYSTEMS\DEVDETECT\DEVDETECT.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\MY DOCUMENTS\SIMON\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.freeserve.com:8080/pac.asp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [cursor] "C:\Program Files\Screendragon VS3\Screendragon VS3 Taskbar.exe"
    O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\COMMON\SWTRAYV4.EXE
    O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKCU\..\Run: [sr64] C:\WINDOWS\SYSTEM\SR64\OBANBCDH.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.net/
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
     
  15. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

    O4 - HKCU\..\Run: [sr64] C:\WINDOWS\SYSTEM\SR64\OBANBCDH.EXE

    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files
    NONE


    and Delete these folders
    C:\WINDOWS\SYSTEM\SR64\

    then
    Reboot normally & post another log please to check

    hopefully it's just a start up entry and you won't find the system/sr64 folder because we deleted it
     
  16. scole98

    scole98 Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    8
    OK, I've fixed the items in hijackthis, but had already deleted the folder c:\windows\system\sr64 and it's contents as instructed earlier.

    If you would still like me to forward a zip copy of these items, I think they should still be in my outbox from last night, so let me know and I will forward the message again.

    Latest hijackthis log follows:

    Logfile of HijackThis v1.97.7
    Scan saved at 21:39:08, on 25/03/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\SCREENDRAGON VS3\SCREENDRAGON VS3 TASKBAR.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
    C:\PROGRAM FILES\ACD SYSTEMS\DEVDETECT\DEVDETECT.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\MY DOCUMENTS\SIMON\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [cursor] "C:\Program Files\Screendragon VS3\Screendragon VS3 Taskbar.exe"
    O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\COMMON\SWTRAYV4.EXE
    O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.net/
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

    Thanks again for your time.
    Simon
     
  17. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Hi Simon

    Just do a quick check to make sure the folder hasn't re-appeared

    otherwise it all looks clear now

    I am just a bit puzzled as to why there were no start up entries when the files existed but one appears with no files especially with the name of a file taht we hadn't had already

    It makes me wonder whether there is another bad file somewhere on the computer that is the dropper for these trojans

    hopefully it was just a blip as you deleted the folder that caused it

    any more problems post back.
     
  18. scole98

    scole98 Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    8
    Hi Derek,

    I've just checked and it looks as if the folder has gone.

    Many thanks for all your help in getting this sorted.

    Best regards,

    Simon
     
Thread Status:
Not open for further replies.