Pribi.dll or G1.GZ BHO, anyone heard of this?

Discussion in 'other security issues & news' started by infotime, Jul 26, 2004.

Thread Status:
Not open for further replies.
  1. infotime

    infotime Registered Member

    Joined:
    Jul 26, 2004
    Posts:
    4
    I've got a BHO called "pribi" and I can't find any information about it on the net, nor can I think of anything I've installed that would do this. Here's the details:

    Hijack this log entries:
    O2 - BHO: (no name) - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.dll
    O4 - HKCU\..\Run: [\Pribi.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.exe

    I have a folder C:\Documents and Settings\All Users\Application Data\Pribi
    in it there is:
    pribi.dll
    spif.fil
    spif.ini

    Contents of spif.ini:
    [DEF]
    ID=2151
    INST=True
    CV=v28
    UUID={5C42A822-CD41-4339-863B-8B27FD57FE1F}
    Date=7/25/2004
    [DYN]
    CV=v28
    CFPID=÷¼¼¼¼¼»º¾¡¿µº¹¡¸Í½Í¡µ´ÏÉ¡¿È¸Îʸ¹»È¸Ï´ñ
    [PRC]
    PRC=36

    It's also called G1.GZ according to Security Task Manager. The manufacturer is listed as ": E"

    Anyone have any idea what this iso_O

    Anyone have any idea of what this is?
     
  2. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    HI, infotime:

    Google:
    No results here also:

    http://www.sysinfo.org/startuplist.php

    I used several search engines, and majority only came up with an email address of someone called Peter Ribi: pribi @ DELETETHIS.POBOX.COM

    Did you go to the Pribi.exe, right click/Properties, and see what info you can get from there?

    TAS
     
  3. infotime

    infotime Registered Member

    Joined:
    Jul 26, 2004
    Posts:
    4
    There's no pribi.exe on my system (I've searched all drives for it). There are only 3 files related as I described in first post, one of which is pribi.dll. Here's the text inside that file according to Security Task Manager:
    Code:
    This program cannot be run in DOS mode.
    3qC\Program Files\DevStudio\VB\VB5.OLB
    Software\Microsoft\Internet Explorer\Main\
    Start Page
    Are you sure you wish to uninstall
    runtime error 522
    http 404 not found
    server application unavailable
    the page cannot be displayed
    proxy authentication required
    the resource cannot be displayed
    the page cannot be found
    the web site cannot be found
    you are not authorized to view this page
    the page requires a client certificate
    the page must be viewed with a high
    security web browser
    the page must be viewed over a secure channel
    the page cannot be saved
    the resource cannot be found
    no page to display
    the page requires a valid client certificate
    runtime error
    server too busy
    cannot find server
    the page does not exist
    Microsoft Sans Serif
    ----------------
    InternetExplorer
    Location
    NInitializeWW
    Vbshell.tlbWW
    stdole2.tlbWW
    OLESelfRegister
    Pribi.dll
    OriginalFilename
    Pribi
    InternalName
    ProductVersion
    FileVersion
    ProductName
    StringFileInfo
    Translation
    VarFileInfo
    __vbaFreeStr
    __vbaFreeObj
    __vbaAryUnlock
    __vbaLateIdSt
    _allmul
    __vbaStrVarCopy
    __vbaHresultCheckNonvirt
    __vbaCastObj
    __vbaStrMove
    __vbaI2ErrVar
    _CIatan
    __vbaLateMemCallLd
    __vbaVarCopy
    __vbaVarDup
    __vbaStrToAnsi
    __vbaAryLock
    _adj_fdiv_r
    __vbaPowerR8
    _adj_fdivr_m32
    __vbaDerefAry1
    __vbaFreeStrList
    EVENT_SINK2_AddRef
    __vbaStrCopy
    _adj_fdivr_m32i
    _adj_fdiv_m32i
    __vbaInStr
    __vbaNew2
    __vbaVar2Vec
    __vbaFileOpen
    __vbaErrorOverflow
    __vbaVarCat
    __vbaUbound
    __vbaInStrVar
    __vbaFPException
    __vbaFailedFriend
    _adj_fdivr_m64
    _adj_fprem
    __vbaStrToUnicode
    __vbaExceptHandler
    EVENT_SINK_QueryInterface
    __vbaNew
    EVENT_SINK_Release
    __vbaRecUniToAnsi
    __vbaRedim
    Zombie_GetTypeInfoCount
    __vbaLateIdCallLd
    __vbaFixstrConstruct
    _adj_fpatan
    __vbaAryConstruct
    __vbaLbound
    __vbaCastObjVar
    __vbaVarOr
    DllFunctionCall
    __vbaObjVar
    __vbaStrCmp
    __vbaGenerateBoundsError
    EVENT_SINK_AddRef
    __vbaFileClose
    __vbaChkstk
    __vbaErase
    __vbaBoolVarNull
    __vbaVarTstLt
    _adj_fdivr_m16i
    __vbaObjSetAddref
    _adj_fdiv_m16i
    __vbaObjSet
    __vbaOnError
    __vbaExitProc
    EVENT_SINK2_Release
    __vbaAryDestruct
    Zombie_GetTypeInfo
    _adj_fdiv_m32
    __vbaHresultCheckObj
    __vbaSetSystemError
    __vbaLsetFixstr
    __vbaStrCat
    __vbaRecAnsiToUni
    _adj_fprem1
    __vbaStrErrVarCopy
    __vbaFreeObjList
    EVENT_SINK_Invoke
    _adj_fdiv_m64
    __vbaFreeVarList
    __vbaStrVarMove
    __vbaAptOffset
    __vbaLateIdCall
    __vbaLenBstr
    __vbaLineInputStr
    __vbaFreeVar
    __vbaAryMove
    __vbaVarVargNofree
    __vbaVarMove
    _adj_fptan
    __vbaVarSub
    __vbaVarTstGt
    EVENT_SINK_GetIDsOfNames
    DllUnregisterServer
    DllRegisterServer
    DllGetClassObject
    DllCanUnloadNow
    Pribi.dll
    VujVWjh
    uhdw
    uhdw
    uhdw
    uhdw
    uhdw
    uhpt
    Suht
    Suhpt
    Suhl
    Suhe
    Suhl
    WPad
    pCmdText
    pvaOut
    nCmdExecOpt
    pguidCmdGroup
    IOleCommandTarget
    priid
    fReserved
    punkToolbarSite
    prcBorder
    fEnterMode
    dwreserved
    Location
    IObjectWithSite
    IDockingWindow
    ProgressMax
    Progress
    Text
    Headers
    PostData
    TargetFrameName
    Flags
    Cancel
    lblClose
    lblTitle
    Frame1
    SHDocVwCtl.WebBrowser
    SHDocVwCtl.WebBrowser
    SHDocVwCtl.WebBrowser
    SHDocVwCtl.WebBrowser
    SHDocVwCtl.WebBrowser
    SHDocVwCtl.WebBrowser
    frmSearch
    modReplaceString_ReplaceString
    modGrabBaseDomain_GrabBaseDomain
    __vbaAryMove
    __vbaVar2Vec
    __vbaAryLock
    __vbaAryUnlock
    modIeGuid_GetGUID
    __vbaVarCopy
    __vbaVarTstLt
    modUpdateApplicationFiles_UpdateApplicationFiles
    open
    .exe
    .fil
    __vbaLbound
    __vbaAryConstruct
    __vbaGenerateBoundsError
    __vbaFileOpen
    __vbaLineInputStr
    __vbaFileClose
    modSearchEngineFunctions_StoreListInMemory
    modSearchEngineFunctions_isParamSearchTarget
    querystring
    name_query
    stichwort
    pattern
    suchen
    suchstr
    search_string
    searchstr
    keys
    words
    word
    show
    host
    searchfor
    search
    keyword
    keywords
    term
    terms
    query
    as_epq
    modSearchEngineFunctions_isURLTarget
    searchterm
    modSearchEngineFunctions_SetUpSearch
    modRegistry_KeyExists
    modRegistry_SaveKey
    modRegisterUser_postGuiVars
    prop
    checkin
    speed
    modRegisterUser_RegUser
    StringFromGUID24
    CoCreateGuid
    spif.fil
    spif.ini
    qd.aspx
    rc.aspx
    ri.aspx
    ss/client/
    ss/client/rinfo/
    ss/client/search/
    __vbaRedim
    __vbaVarMove
    __vbaErase
    modLogic_setSearchEngineInfo
    SOFTWARE\Classes\CLSID\
    modLogic_initForm
    modLogic_initLogic
    modLogic_LoadDatFile
    modDumbPops_NavToDPPage
    modDumbPops_CheckDumbPops
    __vbaUbound
    __vbaVarTstGt
    __vbaDerefAry1
    __vbaI2ErrVar
    __vbaAryDestruct
    __vbaVarCat
    __vbaPowerR8
    modDecrypt_UnSetBit
    modDecrypt_SetBit
    modDecrypt_IsBitSet
    modDecrypt_BitEncrypt
    modCountSubstrings_CountSubstrings
    __vbaVarOr
    __vbaInStrVar
    modSearchEngineFunctions_isBrowserTitleValid
    __vbaBoolVarNull
    forbidden
    __vbaLenBstr
    modInternetGetFile_InternetGetFile
    InternetOpenA
    re.aspx
    URLDownloadToFileA
    urlmon
    __vbaFixstrConstruct
    __vbaLsetFixstr
    modINIManipulation_WriteIni
    modINIManipulation_ReadIni
    modGetScreenRes_isBrowserSizeValid
    modGetScreenRes_GetScreenRes
    __vbaRecUniToAnsi
    __vbaStrToAnsi
    __vbaRecAnsiToUni
    __vbaStrToUnicode
    FileExists
    FindClose
    qr.aspx
    errLine
    errFunc
    errDes
    __vbaNew
    clsIESearch_m_ie_BeforeNavigate2
    about
    clsIESearch_IOleCommandTarget_QueryStatus
    FindFirstFileA
    clsIESearch_IObjectWithSite_SetSite
    clsIESearch_IObjectWithSite_GetSite
    clsIESearch_Class_Initialize
    IEDockingWindow
    m_ie_BeforeNavigate2
    IOleCommandTarget_QueryStatus
    CLSIDFromString4
    RtlMoveMemory
    GpIOleCommandTarget
    clsDW_IeSnk
    clsDW_InternetExplorer
    clsDW_SetSize
    clsDW_Show
    clsDW_NegotiateBorderSpace
    Class_Initialize
    clsDW_IObjectWithSite_SetSite
    clsDW_IObjectWithSite_GetSite
    clsDW_IDockingWindow_ShowDW
    clsDW_IDockingWindow_ResizeBorderDW
    clsDW_IDockingWindow_GetWindow
    clsDW_IDockingWindow_ContextSensitiveHelp
    clsDW_IDockingWindow_CloseDW
    clsDW_Class_Terminate
    clsDW_Initialize
    __vbaSetSystemError 
    modConnectionType_IsNetConnectViaModem
    modConnectionType_IsNetConnectViaLAN
    modConnectionType_GetNetConnectString
    InternetGetConnectedState
    Wininet
    __vbaOnError
    __vbaLateIdCall
    __vbaObjSet
    __vbaFreeObj
    __vbaStrCopy
    __vbaFreeStr
    __vbaHresultCheckObj
    __vbaStrMove
    __vbaFreeStrList
    __vbaFreeVar
    string
    __vbaExitProc
    __vbaObjSetAddref
    __vbaCastObj
    __vbaAptOffset
    __vbaNew2
    __vbaLateIdSt
    __vbaFailedFriend
    __vbaLateMemCallLd
    __vbaObjVar
    __vbaFreeObjList
    __vbaFreeVarList
    __vbaHresultCheckNonvirt
    __vbaLateIdCallLd
    IeSnk
    InternetExplorer
    IObjectWithSite_SetSite
    IObjectWithSite_GetSite
    FIDockingWindow_ShowDW
    IDockingWindow_ResizeBorderDW
    IDockingWindow_GetWindow
    IDockingWindow_ContextSensitiveHelp
    __vbaVarDup
    IDockingWindow_CloseDW
    Class_Terminate
    Initialize
    ShowWindow
    MoveWindow
    SetWindowLongA
    SetParent
    GetWindowLongA
    sRIObjectWithSite
    IOleCommandTarget_Exec
    3oVBInternal
    3qClass
    VBShellLib
    UvoC\PROJECTS\BHOSubSearch\_VBSHELL\Vbshell.tlb
    IDockingWindow
    3qm_ie
    __vbaStrVarMove
    __vbaVarVargNofree
    __vbaInStr
    __vbaCastObjVar
    __vbaStrCmp
    __vbaStrVarCopy
    __vbaErrorOverflow
    __vbaStrCat
    frmSearch_tmpFrameMain_oncontextmenu
    frmSearch_tmpFrameMain_onclick
    __vbaVarSub
    frmSearch_tmpFrame4_oncontextmenu
    frmSearch_tmpFrame4_onclick
    frmSearch_tmpFrame3_oncontextmenu
    frmSearch_tmpFrame3_onclick
    frmSearch_tmpFrame2_oncontextmenu
    frmSearch_tmpFrame2_onclick
    frmSearch_tmpFrame1_oncontextmenu
    frmSearch_tmpFrame1_onclick
    href
    _main
    target
    frmSearch_DockingWindow
    frmSearch_IeSnk
    frmSearch_InternetExplorer
    frmSearch_wb_ie_TitleChange
    frmSearch_wb_ie_ProgressChange
    __vbaStrErrVarCopy
    frmSearch_wb_ie_DocumentComplete
    Title
    frmSearch_wb_ie_BeforeNavigate2
    GetSystemMetrics
    soft
    Uninstall
    version
    search
    clear
    frmSearch_lblClose_Click
    frmSearch_IE_SEARCH_TitleChange
    roff
    loff
    frmSearch_IE_SEARCH_DocumentComplete
    Document
    contentWindow
    frmSearch_IE_SEARCH_BeforeNavigate2
    frmSearch_IE_GUID_TitleChange
    frmSearch_IE_GUID_DocumentComplete
    False
    report
    Date
    install
    frmSearch_IE_ER_DocumentComplete
    frmSearch_IE_ER_BeforeNavigate2
    frmSearch_IE_DYN_TitleChange
    frmSearch_IE_DYN_DocumentComplete
    ShellExecuteA
    shell32.dll
    GetDesktopWindow
    RegSetValueExA
    RegOpenKeyExA
    RegDeleteKeyA
    RegCreateKeyA
    RegCloseKey
    advapi32.dll
    True
    WritePrivateProfileStringA
    GetPrivateProfileStringA
    frmSearch_IE_DYN_BeforeNavigate2
    frmSearch_IE_DP_DocumentComplete
    frmSearch_IE_DP_BeforeNavigate2
    Item
    length
    frmSearch_IE_CLICK_DocumentComplete
    frmSearch_IE_CLICK_BeforeNavigate2
    frmSearch_OpenSubSearch
    frmSearch_CloseSubSearch
    frmSearch_setLogicOn
    frmSearch_setSearchQuery
    frmSearch_setSubSearchOn
    tagName
    frmSearch_setSearchEngine
    frmSearch_getgetPopOutSide
    frmSearch_getWBIEDocHeight
    offsetHeight
    documentElement
    frmSearch_Form_Resize
    frmSearch_Form_Unload
    frmSearch_Form_Load
    blank
    about
    tmpFrameMain_oncontextmenu
    tmpFrameMain_onclick
    tmpFrame4_oncontextmenu
    tmpFrame4_onclick
    tmpFrame3_oncontextmenu
    tmpFrame3_onclick
    tmpFrame2_oncontextmenu
    tmpFrame2_onclick
    tmpFrame1_oncontextmenu
    tmpFrame1_onclick
    wb_ie_TitleChange
    wb_ie_ProgressChange
    wb_ie_DocumentComplete
    wb_ie_BeforeNavigate2
    lblClose_Click
    IE_SEARCH_TitleChange
    IE_SEARCH_DocumentComplete
    IE_SEARCH_BeforeNavigate2
    IE_GUID_TitleChange
    IE_GUID_DocumentComplete
    IE_ER_DocumentComplete
    IE_ER_BeforeNavigate2
    IE_DYN_TitleChange
    IE_DYN_DocumentComplete
    IE_DYN_BeforeNavigate2
    IE_DP_DocumentComplete
    IE_DP_BeforeNavigate2
    IE_CLICK_DocumentComplete
    IE_CLICK_BeforeNavigate2
    Form_Resize
    Form_Unload
    Form_Load
    Frame1
    Form
    C\WINNT\system32\SHDOCVW.DLL
    Mwb_ie
    lblTitle
    tmpFrame2
    lblClose
    tmpFrame4
    tmpFrame3
    tmpFrame1
    C\WINNT\system32\MSHTML.TLB
    tmpFrameMain
    zC\WINNT\System32\shdocvw.oca
    www.fastfind.org
    modReplaceString
    modGrabBaseDomain
    modCreateGUID
    modUpdateApplicationFiles
    modSearchEngineFunctions
    modRegistry
    modRegisterUser
    modParameters
    modLogic
    modLoadDataFile
    modDumbPops
    modDecrypt
    modCountSubStrings
    modBrowserTitleCheck
    modQuickParse
    modInternetGetFile
    modINIManipulation
    modGetScreenRes
    modFileExists
    modErrorReport
    modConnectionType
    frmSearch
    1\ver28\SUBSEA
    WebBrowser
    SHDocVwCtl.WebBrowser
    ReadyState
    PribiE
    .reloc
    .idata
    .data
    .text
     
  4. peterplan

    peterplan Registered Member

    Joined:
    Jul 27, 2004
    Posts:
    1
    Location:
    Sweden
    I just removed pribi using hijackthis from my computer, and it seems ieservice.dll and a couple of other files in the aplication folder got installed at the same time.
    ieservice also seems to come from E!?

    It seems like pribi takes control of the search assistant in IE and whenever you search for something it opens up the searchtab and displays some results.
     
  5. jwilday

    jwilday Guest

    HI
    I am having the same trouble and have the same folder Pribi with the same contents.
    I am so far unable to remove it successfuly and it does hijack my yahoo searches.
    I found that the folder IEServices was installed at the same time. It seems IEServices takes over my search engine as well and posts it own result on the right side of the screen while Pribi post its finds on the left side with Yahoo in between them.
    I was able to remove IEServices with info found here

    http://securityresponse.symantec.com/avcenter/venc/data/adware.fastfind.html

    It should be noted that before I could delete the IEServices file I had to delete all the redistry keys first
    Hope somebody finds all the registry keys associated with Pribi
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Last edited: Jul 29, 2004
Thread Status:
Not open for further replies.