irc

Discussion in 'malware problems & news' started by mc-2000, Jan 26, 2003.

Thread Status:
Not open for further replies.
  1. mc-2000

    mc-2000 Registered Member

    Joined:
    Jan 26, 2003
    Posts:
    16
    hey guys i've been in several forums but they cant find any solution to my problem/....
    i manage to stop my kernel32.dll going out but it still keep trying(but its blocked)
    i check and clean my registy "run"..
    i used the spybot s&d
    but its still there.

    here's the log file as follows...

    Reason
    Allow Outgoing DHCP

    Application
    KERNEL32.DLL

    Remote Host
    irc.dal.net

    Remote Port
    67

    Direction
    Outbound

    Protocol
    UDP
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi mc-2000,

    Please download Hijackthis, unzip and run it: Scan > Save log, rename the .log to .txt and post it.
    Then under Config > Misc Tools > generate Startuplog and post that log as well.
    Let's see if we can figure this out.

    Regards,

    Pieter
     
  3. mc-2000

    mc-2000 Registered Member

    Joined:
    Jan 26, 2003
    Posts:
    16
    here its is.hope you can help me..i hav this for almost one month now...nobody in the net can help me..yet.

    Logfile of HijackThis v1.91.2
    Scan saved at 9:42:35 AM, on 1/29/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [BatteryBar] c:\program files\batterybar\batterybar.exe
    O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
    O4 - HKLM\..\Run: [Dimension4] C:\PROGRAM FILES\D4\D4.EXE
    O4 - HKLM\..\Run: [Iusage] C:\PROGRAM FILES\INTERNET USAGE MONITOR V7.7\NETDET.exe
    O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /waitservice
    O4 - HKLM\..\Run: [Detect] C:\Program Files\iNTERNET Turbo\idetect.exe /auto
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [InternalSystray] c:\windows\system\kernel32.exe
    O4 - HKLM\..\RunServices: [InoRT] C:\Program Files\CA\eTrust\Antivirus\InoRT9x.exe
    O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /service
    O4 - HKLM\..\RunServices: [Detect] C:\Program Files\iNTERNET Turbo\idetect.exe /auto
    O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\DiskeeperLite\DkService.exe
    O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Roxio\GoBack\GBPoll.exe
    O4 - HKCU\..\Run: [TClockEx] "D:\Program Files\TClockEx\TCLOCKEX.EXE"
    O4 - Startup: maxmem.lnk = D:\Program Files\AnalogX\MaxMem\maxmem.exe
    O4 - Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
    O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton Utilities\SYSDOC32.EXE
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37604.7922800926
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB



    here's the start up....


    StartupList report, 1/29/03, 9:43:45 AM
    StartupList version: 1.51
    Started from : C:\UNZIPPED\HIJACKTHIS191\HIJACKTHIS.EXE
    Detected: Windows 98 SE (Win9x 4.10.2222A)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\CA\ETRUST\ANTIVIRUS\INORT9X.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE
    C:\PROGRAM FILES\EXECUTIVE SOFTWARE\DISKEEPERLITE\DKSERVICE.EXE
    C:\PROGRAM FILES\ROXIO\GOBACK\GBPOLL.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\BATTERYBAR\BATTERYBAR.EXE
    C:\PROGRAM FILES\CA\ETRUST\ANTIVIRUS\REALMON.EXE
    C:\PROGRAM FILES\D4\D4.EXE
    C:\PROGRAM FILES\INTERNET USAGE MONITOR V7.7\NETDET.EXE
    C:\PROGRAM FILES\INTERNET TURBO\IDETECT.EXE
    D:\PROGRAM FILES\ANALOGX\MAXMEM\MAXMEM.EXE
    C:\PROGRAM FILES\ROXIO\GOBACK\GBTRAY.EXE
    C:\PROGRAM FILES\NORTON UTILITIES\SYSDOC32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\UNZIPPED\HIJACKTHIS191\HIJACKTHIS.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    maxmem.lnk = D:\Program Files\AnalogX\MaxMem\maxmem.exe
    GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
    Norton System Doctor.LNK = C:\Program Files\Norton Utilities\SYSDOC32.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    TaskMonitor = C:\WINDOWS\taskmon.exe
    SystemTray = SysTray.Exe
    SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    BatteryBar = c:\program files\batterybar\batterybar.exe
    Realtime Monitor = "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
    Dimension4 = C:\PROGRAM FILES\D4\D4.EXE
    Iusage = C:\PROGRAM FILES\INTERNET USAGE MONITOR V7.7\NETDET.exe
    Outpost Firewall = C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /waitservice
    Detect = C:\Program Files\iNTERNET Turbo\idetect.exe /auto
    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    InternalSystray = c:\windows\system\kernel32.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    InoRT = C:\Program Files\CA\eTrust\Antivirus\InoRT9x.exe
    Outpost Firewall = C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /service
    Detect = C:\Program Files\iNTERNET Turbo\idetect.exe /auto
    DkService = C:\Program Files\Executive Software\DiskeeperLite\DkService.exe
    GoBack Polling Service = C:\Program Files\Roxio\GoBack\GBPoll.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    TClockEx = "D:\Program Files\TClockEx\TCLOCKEX.EXE"

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 24/1/2003, 19:38:10)

    [rename]
    NUL=c:\GBREBOOT.EXE
    C:\PROGRA~1\ROXIO\GOBACK\ShellExt.dll=C:\PROGRA~1\ROXIO\GOBACK\SHELLEXT.TMP
    C:\PROGRA~1\ROXIO\GOBACK\GBPoll.exe=C:\PROGRA~1\ROXIO\GOBACK\GBPOLL.TMP
    NUL=c:\GBSETHLP.VXD
    NUL=c:\GB1033.LNG
    NUL=ø<E
    NUL=c:\GOBACK.RXC
    NUL=c:\GBSETUP.EXE

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    SET AVENGINE=C:\PROGRA~1\CA\COMMON\SCANEN~1
    C:\PROGRA~1\CA\COMMON\SCANEN~1\EXAMINE.EXE
    PATH=C:\PROGRA~1\CA\COMMON\SCANEN~1;C:\PROGRA~1\CA\ETRUST\ANTIVI~1;"C:\Program Files\Executive Software\DiskeeperLite\"
    SET INOCULAN=C:\PROGRA~1\CA\ETRUST\ANTIVI~1

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37604.7922800926

    [DmiReader Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\SYSPRO~1.DLL
    CODEBASE = http://ftp.us.dell.com/fixes/PROFILER.CAB

    --------------------------------------------------
    End of report, 5,456 bytes
    Report generated in 0.362 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi mc-2000,

    This is what I can make of it.

    Is this a trojan?
    InternalSystray= c:\windows\system\kernel32.exe (OptixPro)

    Feel free to download a free trial of an AT here: http://www.wilders.org/anti_trojans.htm to check that.

    Other suspects for causing connections:
    D4.exe (program used for time synchronisation)
    idetect.exe (browser speed enhancer)
    DAP (downloadmanager, spyware)

    Unnneeded in Startup:
    GBPoll.exe
    GBTray.exe
    Sysdoc32.exe

    Unknown (to me):
    Batterybar.exe
    Netdet.exe

    To easily manipulate what starts up and what not:
    http://www.mlin.net/StartupMonitor.shtml

    Regards,

    Pieter
     
  5. mc-2000

    mc-2000 Registered Member

    Joined:
    Jan 26, 2003
    Posts:
    16
    my theory of what causes this is confirmed..
    i run in safe mode and did not load anything.
    inside windows i run outpost...lo and behold...this kernel32 is still there.
    in other words outpost was the one process it.
    so i uninstall it and install again...now i have this log.

    Allow Outgoing DHCP KERNEL32.DLL 01/30/03 12:28:38 AM 255.255.255.255 67 Outbound UDP

    what a mystery that irc thing...what do you think really happened?
    this past several weeks i learned a lot because of this problem.
    i even tried learning basic knowledge about trojans..now i end up having several undetected trojans..what a life.
     
  6. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    1. Your Netdet.exe is this program and it is OK.

    Net tracking

    To track hours on the Internet, eWorld readers may find this freeware useful. Internet Usage Monitor v7.7 - 1014 KB

    Internet Usage Monitor will monitor the time spent on the Internet and will calculate the total cost of online time according to the local telephone charges that the user enters.

    This program makes it easy to budget online time.

    Salient features:


    Automatically detects when you go online

    Online Timer facility

    Detailed analysis in the form of colourful charts and graphs


    Session-by-session usage monitoring

    Yearly reports

    Displays current session's time & cost as a tool tip.


    2. Your Kernel32.exe is not good..it could be many types of back door trojans but you should try this...

    Backdoor.G_Door

    --------------------------------------------------------------------------------
    This backdoor uses standard client-server technology and includes two parts - client and server, both are Windows executable files (PE EXE). The backdoor server is installed on victim computers, and the client controls them from remote station.
    Installation
    When the server is run on a victim computer, it installs itself to the system - moves itself to the Windows system directory with the KERNEL32.EXE name and changes the system registry keys:
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    @="C:\\WIN98\\SYSTEM\\KERNEL32.EXE"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
    @="C:\\WIN98\\SYSTEM\\KERNEL32.EXE"

    [HKEY_CLASSES_ROOT\txtfile\shell\open
    ommand]
    @="C:\\WIN98\\SYSTEM\\KERNEL32.EXE %1"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\txtfile\shell\open
    ommand]
    @="C:\\WIN98\\SYSTEM\\KERNEL32.EXE %1"

    The name of the Windows system directory (here it is "C:\\WIN98\SYSTEM") depends on system configuration.
    As a result of such registration in the system registry the server starts automatically at boot time (first two keys), as well as each time a TXT file is being opened. In this way the server starts on Windows startup, and restarts, if its process is unloaded from the system memory by a user.

    Moreover, the server permanently (about each 10 seconds) controls its registry keys. In case these keys are changed (the reference to the server file is deleted), the server restores them again to the "infected" state.

    As a result the backdoor server removal procedure is not a simple problem: it is impossible remove or rename the KERNEL32.EXE backdoor server file (it active and locked by the system); the registry keys are controlled by server (this make impossible reboot system with "clear" registry).

    Under Win9x to get rid of this backdoor it is possible to boot computer in DOS mode and remove the KERNEL32.EXE file from Windows system directory, and after booting Windows it is necessary to remove references to this file in the system registry. Under WinNT it is necessary to kill backdoor's process in Windows memory, then delete server EXE file and clear the system registry keys.

    Server
    To get a connection to the client component the backdoor server uses the socket 7626 and periodically listens it. When the server is connected with a client, it executes client's commands and controls over the victim computer: manipulates with victim's file system - copy files, moving, deleting, creating, etc.
    Client
    The client has the ability to scan for active servers. On connection to a server the client gets control on victim computer's resources. The client GUI is adapted to Chinese.

    But you should also see if you have a file called Tapi.exe on your PC

    Tapi.exe Caused General Protection Fault (GPF) In Kernel32.exe When Connecting / Uninstall and Reinstall Dial-up Networking

    http://support.earthlink.net/mu/1/psc/img/walkthroughs/windows_9x_nt/dialers/dial-up_connections/1748.psc.html
     
  7. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    I have one other suggestion for you on that Netdet.exe find the file..right click on it..go to properties..then make sure it is that size and what you expect it to be doing one your system..do you use it ? ;) It would be a perfect place to hide a trojan...when did you download it?
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi mc-2000,

    Have you scanned your computer in the meantime with either BoClean, TDS-3 or Trojan Hunter (alphabetical order, any of these will do)?
    You could also try if unchecking the kernel32.exe in msconfig and rebooting stops the entries in your log.

    Regards,

    Pieter
     
  9. mc-2000

    mc-2000 Registered Member

    Joined:
    Jan 26, 2003
    Posts:
    16
    as i said in my post earlier.
    i managed to confirm that its my firewall doing it.
    i went into safe mode without loading the config.sys..autoexec.bat,system.ini,win.ini and startup.
    as soon as im in the windows i run my firewall(outpost)
    expectedly that kernel32 is there again.
    so i uninstall and install outpost.
    now im getting the following log and i permitted it...

    reason
    Allow Outgoing DHCP   

    application
    KERNEL32.DLL   

    remote host
    255.255.255.255   

    remote port
    67   

    direction
    Outbound   

    protocol
    UDP

    someone in the outpost told me what im getting now is normal.
    the mystery is what happened?..how in the hell i got that irc thing and weird of all its my firewall doing it.

    there's nothing suspicious now except that i received a report of rst attack once in a while.

    by the way i compared my back up registry and my present registry and i cant find anything bad..i think.
     
  10. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    I posted this in the thread at Agnitum.
    http://www.dal.net/index.php3
    I think you are being used in a DoS attack.
    As posted earlier, you need to check with TDS3, KAV, BO Clean, something that is going to nail down what you have. It is not Outpost.

    Also check on what Primrose posted.
     
  11. mc-2000

    mc-2000 Registered Member

    Joined:
    Jan 26, 2003
    Posts:
    16
    first of all..thanks root...you're here.
    i have it again.
    this time i check the dns cache in outpost.
    there i found out that my log was registering that my remote host 255.255...as the dns irc.dal.net
    so initially i thought its an outpost bug but as root said its not outpost.
     
  12. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Acording to Pokinpo, you scanned with TDS and Kernel32 showed up. Is that correct?
     
  13. mc-2000

    mc-2000 Registered Member

    Joined:
    Jan 26, 2003
    Posts:
    16
    no...kernel showed up only when i run hijack this prog.
    in tds none..nothing at all..im clean with tds :( :( :oops: :doubt:
     
  14. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Hi. As mentioned by Primrose:
    O4 - HKLM\..\Run: [InternalSystray] c:\windows\system\kernel32.exe
    This is a trojan! There should be no kernal32.EXE
    Please follow up on Primrose's post and see what you find.
     
  15. grey_ghost

    grey_ghost Registered Member

    Joined:
    Apr 28, 2002
    Posts:
    60
    Hi,
    As Root said you should follow Primroses's suggestions.

    This is a quote from Microsoft about kernel32.exe

    This issue can occur if your computer is infected by one of the following viruses:
    Worm_Badtrans.b
    Backdoor.G_Door
    Glacier Backdoor
    Win32.Badtrans.29020
    W32.Badtrans.B@mm
    Win32/PWS.Badtrans.B.Worm

    Kernel32.exe is the worm process that resides on the client computer, and Kernel32.exe is not a Microsoft file.

    Regards
     
  16. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    You can get a free tool to find and remove Badtrans at this link but I do not think that is your problem.


    W32/Badtrans.B Removal Utility & Instructions

    Thank you for your interest in the Panda Disinfection Instructions and Utilities. To read the instructions and download the utility for removing the W32/Badtrans.B worm,

    http://www.pandasecurity.com/Disinfect.asp?ID=25
     
  17. mc-2000

    mc-2000 Registered Member

    Joined:
    Jan 26, 2003
    Posts:
    16
    according to tds .im clean.

    im back with this but without the dns name of irc.dal.net.

    reason
    Allow Outgoing DHCP   

    apllication
    KERNEL32.DLL      

    remote host
    255.255.255.255   

    remote port
    67   

    direction
    Outbound   

    protocol
    UDP

    is this normal now?
    i just deleted this in my registry

    O4 - HKLM\..\Run: [InternalSystray] c:\windows\system\kernel32.exe

    the following is the latest hijack log.....


    Logfile of HijackThis v1.91.2
    Scan saved at 4:34:52 PM, on 2/3/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=proxy.pacific.net.ph:8080
    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [Detect] C:\Program Files\iNTERNET Turbo\idetect.exe /auto
    O4 - HKLM\..\Run: [Iusage] C:\PROGRAM FILES\INTERNET USAGE MONITOR V7.7\netdet.exe
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [BatteryBar] c:\program files\batterybar\batterybar.exe
    O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
    O4 - HKLM\..\Run: [Dimension4] C:\PROGRAM FILES\D4\D4.EXE
    O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\RunServices: [Detect] C:\Program Files\iNTERNET Turbo\idetect.exe /auto
    O4 - HKLM\..\RunServices: [InoRT] C:\Program Files\CA\eTrust\Antivirus\InoRT9x.exe
    O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\DiskeeperLite\DkService.exe
    O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Roxio\GoBack\GBPoll.exe
    O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /service
    O4 - HKCU\..\Run: [TClockEx] "D:\Program Files\TClockEx\TCLOCKEX.EXE"
    O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton Utilities\SYSDOC32.EXE
    O4 - Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37604.7922800926
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB


    startup hijack log

    StartupList report, 2/3/03, 4:38:46 PM
    StartupList version: 1.51
    Started from : C:\UNZIPPED\HIJACKTHIS191\HIJACKTHIS.EXE
    Detected: Windows 98 SE (Win9x 4.10.2222A)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\CA\ETRUST\ANTIVIRUS\INORT9X.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\EXECUTIVE SOFTWARE\DISKEEPERLITE\DKSERVICE.EXE
    C:\PROGRAM FILES\ROXIO\GOBACK\GBPOLL.EXE
    C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\INTERNET TURBO\IDETECT.EXE
    C:\PROGRAM FILES\INTERNET USAGE MONITOR V7.7\NETDET.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\BATTERYBAR\BATTERYBAR.EXE
    C:\PROGRAM FILES\CA\ETRUST\ANTIVIRUS\REALMON.EXE
    C:\PROGRAM FILES\D4\D4.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON UTILITIES\SYSDOC32.EXE
    C:\PROGRAM FILES\ROXIO\GOBACK\GBTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\INTERNET USAGE MONITOR V7.7\IUSAGE.EXE
    C:\UNZIPPED\HIJACKTHIS191\HIJACKTHIS.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    Norton System Doctor.LNK = C:\Program Files\Norton Utilities\SYSDOC32.EXE
    GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Detect = C:\Program Files\iNTERNET Turbo\idetect.exe /auto
    Iusage = C:\PROGRAM FILES\INTERNET USAGE MONITOR V7.7\netdet.exe
    TaskMonitor = C:\WINDOWS\taskmon.exe
    SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    BatteryBar = c:\program files\batterybar\batterybar.exe
    Realtime Monitor = "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
    Dimension4 = C:\PROGRAM FILES\D4\D4.EXE
    Outpost Firewall = C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
    SystemTray = SysTray.Exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    Detect = C:\Program Files\iNTERNET Turbo\idetect.exe /auto
    InoRT = C:\Program Files\CA\eTrust\Antivirus\InoRT9x.exe
    DkService = C:\Program Files\Executive Software\DiskeeperLite\DkService.exe
    GoBack Polling Service = C:\Program Files\Roxio\GoBack\GBPoll.exe
    Outpost Firewall = C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /service

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    TClockEx = "D:\Program Files\TClockEx\TCLOCKEX.EXE"

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 1/2/2003, 18:10:44)

    [rename]
    C:\WINDOWS\TEMP\CHECKFW.DLL=C:\WINDOWS\TEMP\~GLH000C.TMP

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    SET AVENGINE=C:\PROGRA~1\CA\COMMON\SCANEN~1
    C:\PROGRA~1\CA\COMMON\SCANEN~1\EXAMINE.EXE
    PATH=C:\PROGRA~1\CA\COMMON\SCANEN~1;C:\PROGRA~1\CA\ETRUST\ANTIVI~1;"C:\Program Files\Executive Software\DiskeeperLite\"
    SET INOCULAN=C:\PROGRA~1\CA\ETRUST\ANTIVI~1

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37604.7922800926

    [DmiReader Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\SYSPRO~1.DLL
    CODEBASE = http://ftp.us.dell.com/fixes/PROFILER.CAB

    --------------------------------------------------
    End of report, 5,058 bytes
    Report generated in 0.081 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  18. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Looks ok to me. I would go to c:\windows\system\kernel32.exe and change that to kernel32.bkk. As far as I know there is not supposed to be a kernel32.exe at all, but I usually rename a file like that and wait a day or so and as long as it didn't cause any trouble, then delete it. Don't mess with kernel32.dll.
    Lets hope that gets it.
     
  19. mc-2000

    mc-2000 Registered Member

    Joined:
    Jan 26, 2003
    Posts:
    16
    hi root..i totally deleted that kernel32.exe registry.
    i cant find the kernel.exe in windows..so i thought of just deleting that entry in my registry.
    so until now op registering that..no dns name irc.dal...just that 255.255...by the way the local port is 68.
    is that all normal now?...i permitted it already.
    i think its optix pro...but how come i cant see that kernel.exe file..just the registry entry,?
     
  20. grey_ghost

    grey_ghost Registered Member

    Joined:
    Apr 28, 2002
    Posts:
    60
    Hi,

    Remember when you finally clean out whatever is trying to phone home to delete any backups so you won’t get reinfected. (Roxio) etc.

    Regards
     
  21. mc-2000

    mc-2000 Registered Member

    Joined:
    Jan 26, 2003
    Posts:
    16
    i've been thinking lately what really happened.
    basically what gave me problem was that kernel32.dll...not kernel32.exe.
    yes..i have that in my registry..i deleted that entry...but i dnt have the kernel32.exe file.
    what really outpost logs and got my attention was that kernel32.dll....can you really pls explain or tell me what really hapened?
     
  22. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    This is a startup entry that would have given you error reports if the file didn't exist:
    O4 - HKLM\..\Run: [InternalSystray] c:\windows\system\kernel32.exe

    So kernel32.exe must have been present at some point.
    Without knowing what exactly you have been doing, it is hard to reconstruct what exactly has happened.
    But I'm pretty sure you were infected with a trojan. I'm less sure about which one or when exactly it was disabled.

    HTH,

    Pieter
     
  23. mc-2000

    mc-2000 Registered Member

    Joined:
    Jan 26, 2003
    Posts:
    16
    yes you are absolutely right..im definitely infected.
    but does this kind of tojan exist?..what i mean...using the kernel32.dll and going out to 255.255..aka irc.dal.net
    i still have that kernel32.dll but without the dns name irc..only 255.255.
    i ask that coz if its kernel.exe..definitely outpost will get it..but dll?...i thought 255.255 is safe?
     
  24. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    I'm not really an expert on trojans. All I want to know is how to detect them and how to get rid of them. What I do know is that most/all trojans can be set to connect to anything.
    But there are enough experts on this board that have trojans for breakfast. Better wait for one of them. :)

    Regards,

    Pieter

    [EDIT] I moved this topic to the trojan and backdoors forum so the experts will find it. [/EDIT]
     
Thread Status:
Not open for further replies.