hey guys i've been in several forums but they cant find any solution to my problem/.... i manage to stop my kernel32.dll going out but it still keep trying(but its blocked) i check and clean my registy "run".. i used the spybot s&d but its still there. here's the log file as follows... Reason Allow Outgoing DHCP Application KERNEL32.DLL Remote Host irc.dal.net Remote Port 67 Direction Outbound Protocol UDP
Hi mc-2000, Please download Hijackthis, unzip and run it: Scan > Save log, rename the .log to .txt and post it. Then under Config > Misc Tools > generate Startuplog and post that log as well. Let's see if we can figure this out. Regards, Pieter
here its is.hope you can help me..i hav this for almost one month now...nobody in the net can help me..yet. Logfile of HijackThis v1.91.2 Scan saved at 9:42:35 AM, on 1/29/03 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 (6.00.2600.0000) O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [BatteryBar] c:\program files\batterybar\batterybar.exe O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\Antivirus\realmon.exe" O4 - HKLM\..\Run: [Dimension4] C:\PROGRAM FILES\D4\D4.EXE O4 - HKLM\..\Run: [Iusage] C:\PROGRAM FILES\INTERNET USAGE MONITOR V7.7\NETDET.exe O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /waitservice O4 - HKLM\..\Run: [Detect] C:\Program Files\iNTERNET Turbo\idetect.exe /auto O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [InternalSystray] c:\windows\system\kernel32.exe O4 - HKLM\..\RunServices: [InoRT] C:\Program Files\CA\eTrust\Antivirus\InoRT9x.exe O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /service O4 - HKLM\..\RunServices: [Detect] C:\Program Files\iNTERNET Turbo\idetect.exe /auto O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\DiskeeperLite\DkService.exe O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Roxio\GoBack\GBPoll.exe O4 - HKCU\..\Run: [TClockEx] "D:\Program Files\TClockEx\TCLOCKEX.EXE" O4 - Startup: maxmem.lnk = D:\Program Files\AnalogX\MaxMem\maxmem.exe O4 - Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton Utilities\SYSDOC32.EXE O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O9 - Extra button: ICQ (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37604.7922800926 O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB here's the start up.... StartupList report, 1/29/03, 9:43:45 AM StartupList version: 1.51 Started from : C:\UNZIPPED\HIJACKTHIS191\HIJACKTHIS.EXE Detected: Windows 98 SE (Win9x 4.10.2222A) Detected: Internet Explorer v6.00 (6.00.2600.0000) * Using default options ================================================== Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\CA\ETRUST\ANTIVIRUS\INORT9X.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE C:\PROGRAM FILES\EXECUTIVE SOFTWARE\DISKEEPERLITE\DKSERVICE.EXE C:\PROGRAM FILES\ROXIO\GOBACK\GBPOLL.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\BATTERYBAR\BATTERYBAR.EXE C:\PROGRAM FILES\CA\ETRUST\ANTIVIRUS\REALMON.EXE C:\PROGRAM FILES\D4\D4.EXE C:\PROGRAM FILES\INTERNET USAGE MONITOR V7.7\NETDET.EXE C:\PROGRAM FILES\INTERNET TURBO\IDETECT.EXE D:\PROGRAM FILES\ANALOGX\MAXMEM\MAXMEM.EXE C:\PROGRAM FILES\ROXIO\GOBACK\GBTRAY.EXE C:\PROGRAM FILES\NORTON UTILITIES\SYSDOC32.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\UNZIPPED\HIJACKTHIS191\HIJACKTHIS.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\WINDOWS\Start Menu\Programs\StartUp] maxmem.lnk = D:\Program Files\AnalogX\MaxMem\maxmem.exe GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe Norton System Doctor.LNK = C:\Program Files\Norton Utilities\SYSDOC32.EXE -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run TaskMonitor = C:\WINDOWS\taskmon.exe SystemTray = SysTray.Exe SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme BatteryBar = c:\program files\batterybar\batterybar.exe Realtime Monitor = "C:\Program Files\CA\eTrust\Antivirus\realmon.exe" Dimension4 = C:\PROGRAM FILES\D4\D4.EXE Iusage = C:\PROGRAM FILES\INTERNET USAGE MONITOR V7.7\NETDET.exe Outpost Firewall = C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /waitservice Detect = C:\Program Files\iNTERNET Turbo\idetect.exe /auto ScanRegistry = C:\WINDOWS\scanregw.exe /autorun InternalSystray = c:\windows\system\kernel32.exe -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices InoRT = C:\Program Files\CA\eTrust\Antivirus\InoRT9x.exe Outpost Firewall = C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /service Detect = C:\Program Files\iNTERNET Turbo\idetect.exe /auto DkService = C:\Program Files\Executive Software\DiskeeperLite\DkService.exe GoBack Polling Service = C:\Program Files\Roxio\GoBack\GBPoll.exe -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run TClockEx = "D:\Program Files\TClockEx\TCLOCKEX.EXE" -------------------------------------------------- C:\WINDOWS\WININIT.BAK listing: (Created 24/1/2003, 19:38:10) [rename] NUL=c:\GBREBOOT.EXE C:\PROGRA~1\ROXIO\GOBACK\ShellExt.dll=C:\PROGRA~1\ROXIO\GOBACK\SHELLEXT.TMP C:\PROGRA~1\ROXIO\GOBACK\GBPoll.exe=C:\PROGRA~1\ROXIO\GOBACK\GBPOLL.TMP NUL=c:\GBSETHLP.VXD NUL=c:\GB1033.LNG NUL=ø<E NUL=c:\GOBACK.RXC NUL=c:\GBSETUP.EXE -------------------------------------------------- C:\AUTOEXEC.BAT listing: SET AVENGINE=C:\PROGRA~1\CA\COMMON\SCANEN~1 C:\PROGRA~1\CA\COMMON\SCANEN~1\EXAMINE.EXE PATH=C:\PROGRA~1\CA\COMMON\SCANEN~1;C:\PROGRA~1\CA\ETRUST\ANTIVI~1;"C:\Program Files\Executive Software\DiskeeperLite\" SET INOCULAN=C:\PROGRA~1\CA\ETRUST\ANTIVI~1 -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} -------------------------------------------------- Enumerating Task Scheduler jobs: Tune-up Application Start.job -------------------------------------------------- Enumerating Download Program Files: [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab [Update Class] InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37604.7922800926 [DmiReader Class] InProcServer32 = C:\WINDOWS\DOWNLO~1\SYSPRO~1.DLL CODEBASE = http://ftp.us.dell.com/fixes/PROFILER.CAB -------------------------------------------------- End of report, 5,456 bytes Report generated in 0.362 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only
Hi mc-2000, This is what I can make of it. Is this a trojan? InternalSystray= c:\windows\system\kernel32.exe (OptixPro) Feel free to download a free trial of an AT here: http://www.wilders.org/anti_trojans.htm to check that. Other suspects for causing connections: D4.exe (program used for time synchronisation) idetect.exe (browser speed enhancer) DAP (downloadmanager, spyware) Unnneeded in Startup: GBPoll.exe GBTray.exe Sysdoc32.exe Unknown (to me): Batterybar.exe Netdet.exe To easily manipulate what starts up and what not: http://www.mlin.net/StartupMonitor.shtml Regards, Pieter
my theory of what causes this is confirmed.. i run in safe mode and did not load anything. inside windows i run outpost...lo and behold...this kernel32 is still there. in other words outpost was the one process it. so i uninstall it and install again...now i have this log. Allow Outgoing DHCP KERNEL32.DLL 01/30/03 12:28:38 AM 255.255.255.255 67 Outbound UDP what a mystery that irc thing...what do you think really happened? this past several weeks i learned a lot because of this problem. i even tried learning basic knowledge about trojans..now i end up having several undetected trojans..what a life.
1. Your Netdet.exe is this program and it is OK. Net tracking To track hours on the Internet, eWorld readers may find this freeware useful. Internet Usage Monitor v7.7 - 1014 KB Internet Usage Monitor will monitor the time spent on the Internet and will calculate the total cost of online time according to the local telephone charges that the user enters. This program makes it easy to budget online time. Salient features: Automatically detects when you go online Online Timer facility Detailed analysis in the form of colourful charts and graphs Session-by-session usage monitoring Yearly reports Displays current session's time & cost as a tool tip. 2. Your Kernel32.exe is not good..it could be many types of back door trojans but you should try this... Backdoor.G_Door -------------------------------------------------------------------------------- This backdoor uses standard client-server technology and includes two parts - client and server, both are Windows executable files (PE EXE). The backdoor server is installed on victim computers, and the client controls them from remote station. Installation When the server is run on a victim computer, it installs itself to the system - moves itself to the Windows system directory with the KERNEL32.EXE name and changes the system registry keys: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] @="C:\\WIN98\\SYSTEM\\KERNEL32.EXE" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] @="C:\\WIN98\\SYSTEM\\KERNEL32.EXE" [HKEY_CLASSES_ROOT\txtfile\shell\open ommand] @="C:\\WIN98\\SYSTEM\\KERNEL32.EXE %1" [HKEY_LOCAL_MACHINE\Software\CLASSES\txtfile\shell\open ommand] @="C:\\WIN98\\SYSTEM\\KERNEL32.EXE %1" The name of the Windows system directory (here it is "C:\\WIN98\SYSTEM") depends on system configuration. As a result of such registration in the system registry the server starts automatically at boot time (first two keys), as well as each time a TXT file is being opened. In this way the server starts on Windows startup, and restarts, if its process is unloaded from the system memory by a user. Moreover, the server permanently (about each 10 seconds) controls its registry keys. In case these keys are changed (the reference to the server file is deleted), the server restores them again to the "infected" state. As a result the backdoor server removal procedure is not a simple problem: it is impossible remove or rename the KERNEL32.EXE backdoor server file (it active and locked by the system); the registry keys are controlled by server (this make impossible reboot system with "clear" registry). Under Win9x to get rid of this backdoor it is possible to boot computer in DOS mode and remove the KERNEL32.EXE file from Windows system directory, and after booting Windows it is necessary to remove references to this file in the system registry. Under WinNT it is necessary to kill backdoor's process in Windows memory, then delete server EXE file and clear the system registry keys. Server To get a connection to the client component the backdoor server uses the socket 7626 and periodically listens it. When the server is connected with a client, it executes client's commands and controls over the victim computer: manipulates with victim's file system - copy files, moving, deleting, creating, etc. Client The client has the ability to scan for active servers. On connection to a server the client gets control on victim computer's resources. The client GUI is adapted to Chinese. But you should also see if you have a file called Tapi.exe on your PC Tapi.exe Caused General Protection Fault (GPF) In Kernel32.exe When Connecting / Uninstall and Reinstall Dial-up Networking http://support.earthlink.net/mu/1/psc/img/walkthroughs/windows_9x_nt/dialers/dial-up_connections/1748.psc.html
I have one other suggestion for you on that Netdet.exe find the file..right click on it..go to properties..then make sure it is that size and what you expect it to be doing one your system..do you use it ? It would be a perfect place to hide a trojan...when did you download it?
Hi mc-2000, Have you scanned your computer in the meantime with either BoClean, TDS-3 or Trojan Hunter (alphabetical order, any of these will do)? You could also try if unchecking the kernel32.exe in msconfig and rebooting stops the entries in your log. Regards, Pieter
as i said in my post earlier. i managed to confirm that its my firewall doing it. i went into safe mode without loading the config.sys..autoexec.bat,system.ini,win.ini and startup. as soon as im in the windows i run my firewall(outpost) expectedly that kernel32 is there again. so i uninstall and install outpost. now im getting the following log and i permitted it... reason Allow Outgoing DHCP application KERNEL32.DLL remote host 255.255.255.255 remote port 67 direction Outbound protocol UDP someone in the outpost told me what im getting now is normal. the mystery is what happened?..how in the hell i got that irc thing and weird of all its my firewall doing it. there's nothing suspicious now except that i received a report of rst attack once in a while. by the way i compared my back up registry and my present registry and i cant find anything bad..i think.
I posted this in the thread at Agnitum. http://www.dal.net/index.php3 I think you are being used in a DoS attack. As posted earlier, you need to check with TDS3, KAV, BO Clean, something that is going to nail down what you have. It is not Outpost. Also check on what Primrose posted.
first of all..thanks root...you're here. i have it again. this time i check the dns cache in outpost. there i found out that my log was registering that my remote host 255.255...as the dns irc.dal.net so initially i thought its an outpost bug but as root said its not outpost.
no...kernel showed up only when i run hijack this prog. in tds none..nothing at all..im clean with tds
Hi. As mentioned by Primrose: O4 - HKLM\..\Run: [InternalSystray] c:\windows\system\kernel32.exe This is a trojan! There should be no kernal32.EXE Please follow up on Primrose's post and see what you find.
Hi, As Root said you should follow Primroses's suggestions. This is a quote from Microsoft about kernel32.exe This issue can occur if your computer is infected by one of the following viruses: Worm_Badtrans.b Backdoor.G_Door Glacier Backdoor Win32.Badtrans.29020 W32.Badtrans.B@mm Win32/PWS.Badtrans.B.Worm Kernel32.exe is the worm process that resides on the client computer, and Kernel32.exe is not a Microsoft file. Regards
You can get a free tool to find and remove Badtrans at this link but I do not think that is your problem. W32/Badtrans.B Removal Utility & Instructions Thank you for your interest in the Panda Disinfection Instructions and Utilities. To read the instructions and download the utility for removing the W32/Badtrans.B worm, http://www.pandasecurity.com/Disinfect.asp?ID=25
according to tds .im clean. im back with this but without the dns name of irc.dal.net. reason Allow Outgoing DHCP apllication KERNEL32.DLL remote host 255.255.255.255 remote port 67 direction Outbound protocol UDP is this normal now? i just deleted this in my registry O4 - HKLM\..\Run: [InternalSystray] c:\windows\system\kernel32.exe the following is the latest hijack log..... Logfile of HijackThis v1.91.2 Scan saved at 4:34:52 PM, on 2/3/03 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 (6.00.2600.0000) R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=proxy.pacific.net.ph:8080 O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [Detect] C:\Program Files\iNTERNET Turbo\idetect.exe /auto O4 - HKLM\..\Run: [Iusage] C:\PROGRAM FILES\INTERNET USAGE MONITOR V7.7\netdet.exe O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [BatteryBar] c:\program files\batterybar\batterybar.exe O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\Antivirus\realmon.exe" O4 - HKLM\..\Run: [Dimension4] C:\PROGRAM FILES\D4\D4.EXE O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\RunServices: [Detect] C:\Program Files\iNTERNET Turbo\idetect.exe /auto O4 - HKLM\..\RunServices: [InoRT] C:\Program Files\CA\eTrust\Antivirus\InoRT9x.exe O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\DiskeeperLite\DkService.exe O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Roxio\GoBack\GBPoll.exe O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /service O4 - HKCU\..\Run: [TClockEx] "D:\Program Files\TClockEx\TCLOCKEX.EXE" O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton Utilities\SYSDOC32.EXE O4 - Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O9 - Extra button: ICQ (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37604.7922800926 O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB startup hijack log StartupList report, 2/3/03, 4:38:46 PM StartupList version: 1.51 Started from : C:\UNZIPPED\HIJACKTHIS191\HIJACKTHIS.EXE Detected: Windows 98 SE (Win9x 4.10.2222A) Detected: Internet Explorer v6.00 (6.00.2600.0000) * Using default options ================================================== Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\CA\ETRUST\ANTIVIRUS\INORT9X.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\EXECUTIVE SOFTWARE\DISKEEPERLITE\DKSERVICE.EXE C:\PROGRAM FILES\ROXIO\GOBACK\GBPOLL.EXE C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE C:\WINDOWS\EXPLORER.EXE C:\PROGRAM FILES\INTERNET TURBO\IDETECT.EXE C:\PROGRAM FILES\INTERNET USAGE MONITOR V7.7\NETDET.EXE C:\WINDOWS\TASKMON.EXE C:\PROGRAM FILES\BATTERYBAR\BATTERYBAR.EXE C:\PROGRAM FILES\CA\ETRUST\ANTIVIRUS\REALMON.EXE C:\PROGRAM FILES\D4\D4.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\NORTON UTILITIES\SYSDOC32.EXE C:\PROGRAM FILES\ROXIO\GOBACK\GBTRAY.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\PROGRAM FILES\INTERNET USAGE MONITOR V7.7\IUSAGE.EXE C:\UNZIPPED\HIJACKTHIS191\HIJACKTHIS.EXE -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\WINDOWS\Start Menu\Programs\StartUp] Norton System Doctor.LNK = C:\Program Files\Norton Utilities\SYSDOC32.EXE GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Detect = C:\Program Files\iNTERNET Turbo\idetect.exe /auto Iusage = C:\PROGRAM FILES\INTERNET USAGE MONITOR V7.7\netdet.exe TaskMonitor = C:\WINDOWS\taskmon.exe SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe ScanRegistry = C:\WINDOWS\scanregw.exe /autorun BatteryBar = c:\program files\batterybar\batterybar.exe Realtime Monitor = "C:\Program Files\CA\eTrust\Antivirus\realmon.exe" Dimension4 = C:\PROGRAM FILES\D4\D4.EXE Outpost Firewall = C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice SystemTray = SysTray.Exe -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices Detect = C:\Program Files\iNTERNET Turbo\idetect.exe /auto InoRT = C:\Program Files\CA\eTrust\Antivirus\InoRT9x.exe DkService = C:\Program Files\Executive Software\DiskeeperLite\DkService.exe GoBack Polling Service = C:\Program Files\Roxio\GoBack\GBPoll.exe Outpost Firewall = C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /service -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run TClockEx = "D:\Program Files\TClockEx\TCLOCKEX.EXE" -------------------------------------------------- C:\WINDOWS\WININIT.BAK listing: (Created 1/2/2003, 18:10:44) [rename] C:\WINDOWS\TEMP\CHECKFW.DLL=C:\WINDOWS\TEMP\~GLH000C.TMP -------------------------------------------------- C:\AUTOEXEC.BAT listing: SET AVENGINE=C:\PROGRA~1\CA\COMMON\SCANEN~1 C:\PROGRA~1\CA\COMMON\SCANEN~1\EXAMINE.EXE PATH=C:\PROGRA~1\CA\COMMON\SCANEN~1;C:\PROGRA~1\CA\ETRUST\ANTIVI~1;"C:\Program Files\Executive Software\DiskeeperLite\" SET INOCULAN=C:\PROGRA~1\CA\ETRUST\ANTIVI~1 -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} -------------------------------------------------- Enumerating Task Scheduler jobs: Tune-up Application Start.job -------------------------------------------------- Enumerating Download Program Files: [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab [Update Class] InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37604.7922800926 [DmiReader Class] InProcServer32 = C:\WINDOWS\DOWNLO~1\SYSPRO~1.DLL CODEBASE = http://ftp.us.dell.com/fixes/PROFILER.CAB -------------------------------------------------- End of report, 5,058 bytes Report generated in 0.081 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only
Looks ok to me. I would go to c:\windows\system\kernel32.exe and change that to kernel32.bkk. As far as I know there is not supposed to be a kernel32.exe at all, but I usually rename a file like that and wait a day or so and as long as it didn't cause any trouble, then delete it. Don't mess with kernel32.dll. Lets hope that gets it.
hi root..i totally deleted that kernel32.exe registry. i cant find the kernel.exe in windows..so i thought of just deleting that entry in my registry. so until now op registering that..no dns name irc.dal...just that 255.255...by the way the local port is 68. is that all normal now?...i permitted it already. i think its optix pro...but how come i cant see that kernel.exe file..just the registry entry,?
Hi, Remember when you finally clean out whatever is trying to phone home to delete any backups so you won’t get reinfected. (Roxio) etc. Regards
i've been thinking lately what really happened. basically what gave me problem was that kernel32.dll...not kernel32.exe. yes..i have that in my registry..i deleted that entry...but i dnt have the kernel32.exe file. what really outpost logs and got my attention was that kernel32.dll....can you really pls explain or tell me what really hapened?
This is a startup entry that would have given you error reports if the file didn't exist: O4 - HKLM\..\Run: [InternalSystray] c:\windows\system\kernel32.exe So kernel32.exe must have been present at some point. Without knowing what exactly you have been doing, it is hard to reconstruct what exactly has happened. But I'm pretty sure you were infected with a trojan. I'm less sure about which one or when exactly it was disabled. HTH, Pieter
yes you are absolutely right..im definitely infected. but does this kind of tojan exist?..what i mean...using the kernel32.dll and going out to 255.255..aka irc.dal.net i still have that kernel32.dll but without the dns name irc..only 255.255. i ask that coz if its kernel.exe..definitely outpost will get it..but dll?...i thought 255.255 is safe?
I'm not really an expert on trojans. All I want to know is how to detect them and how to get rid of them. What I do know is that most/all trojans can be set to connect to anything. But there are enough experts on this board that have trojans for breakfast. Better wait for one of them. Regards, Pieter [EDIT] I moved this topic to the trojan and backdoors forum so the experts will find it. [/EDIT]