Very Strange....

Discussion in 'other anti-trojan software' started by Suzuko, Jun 20, 2004.

Thread Status:
Not open for further replies.
  1. Suzuko

    Suzuko Registered Member

    Joined:
    Mar 25, 2004
    Posts:
    14
    Last night my computer started behaving strangely, everything froze up and when I tried to close some windows about two dozen small gray windows opened, one after the other in a cascade, all saying the same thing, something about Visual Basic C++ runtime errors.

    I could not shut anything down the normal way so I tried to use the Task Manager, but after hitting Ctrl+Alt+Del an error message came up saying Task Manager has created errors and will be closed by Windows. After clicking OK on the Task Manager error message, ALL the open windows closed, AND Zone Alarm Pro vanished from the tray.

    At this point I disconnected from the internet and reopened ZA to look at the Alerts log. Lo and behold, it showed there were hundreds upon hundreds of attempts by "explorer.exe" to make an outgoing connection to a certain IP address and "gawab.com" which is a web-based free email service.

    Fortunately I had just updated all my security apps - NAV, Spybot S&D, AdAware, PestPatrol and SpySweeper - and ran full system scans with each of them in sequence. Nothing very bad came up until I ran SpySweeper, which found "Acid Shivers" trojan horse and "Sc-keylog". I thought it was odd that PestPatrol or Spybot didn't find these.

    Before allowing SpySweeper to make any changes, I looked up how to remove those two pests. None of the files or registry entries they are supposed to add were present on the computer. And SpySweeper said it's going to remove these registry entries which were not present in the registry when I searched for them. I let SS do its thing anyway.

    Now, the really strange thing is that according to what I read about "Acid Shivers" it first of all doesn't run under Windows2000 (well, maybe there's a "new and improved" version?) and secondly, even though I could find no evidence of the program anywhere in my computer, the behavior reported in the ZA Alerts seemes to indicate that this pest was indeed present.

    So now I have no idea WTF is going on. Can anyone tell me?
     
    Last edited: Jun 20, 2004
  2. controler

    controler Guest

    I am sure some one will tell you to post the normal Highjackthis log lol
    In the early days, Pepik wa adding some keyloggers but I have not been part of that scene for some time now so I don't know if he still does or not.
    If he is, Send the sample to him and it will get added. In general, Spybot is not an AV, AT or firewall. It is a Spyware removal tool with extra hijcak protection and his addition of the Keylogging DEF's was only an extra perk added to an allready good program.

    con
     
  3. Suzuko

    Suzuko Registered Member

    Joined:
    Mar 25, 2004
    Posts:
    14
    Should I post it in this thread?
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    No, post your HJT log in the Hijack cleaning forum.


    snowbound
     
  5. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  6. Suzuko

    Suzuko Registered Member

    Joined:
    Mar 25, 2004
    Posts:
    14
  7. Suzuko

    Suzuko Registered Member

    Joined:
    Mar 25, 2004
    Posts:
    14
    I just check my Zone Alarm Alerts log again, and it shows 68 blocked attempts this morning of "explorer.exe" trying to make outgoing connection to same IP address as last night.
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    This means you have a trojan (or at least adware) injected into explorer.exe

    Please contact me if you want further assistance, I'd suggest you email that explor~2.dll as well > submit@diamondcs.com.au
     
  9. Suzuko

    Suzuko Registered Member

    Joined:
    Mar 25, 2004
    Posts:
    14
    According to ZA there were a total of 584 attempts by "explorer.exe" to connect to 204.97.230.39 and smtp.gawab.com in less than 24 hours, and at least half of that time I was offline.

    I installed and ran Ewido. The scan of just my C: drive took 97 minutes and it didn't find anything.

    I found another app, Trojan Hunter, which I downloaded, installed, updated and ran. The scan (it took less than 10 minutes) found a suspect file called explorerhk.dll which I let it go ahead and rename. As soon as this was done, the aforementioned outgoing connection attempts stopped occurring.

    Before running Trojan Hunter, I had found a reference on another forum to explorer.exe possibly being a trojan if it is located outside of the C:\windows folder. So I looked everywhere else for that file, and found several suspicious files in C:\WINNT\system32, including explorerr.exe (note the double "r") and explorerhk.dll, plus an explorer.exe, 384kb in size, with its own icon that looks like a filmstrip from a camera.

    All these suspicious files had a creation date of June 19, 2003 (not 2004) @ 7:09:05 p.m., which time is just before the trouble began this past Saturday. Do you want me to send them all? Should I put them in an encrypted zip file?

    I am not sure what you mean by "injected into explorer.exe" and I did not see a file called explor~2.dll.
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Suzuko, An ordinary .zip file will do - Send them all and Gavin will advise. :)
     
  11. Suzuko

    Suzuko Registered Member

    Joined:
    Mar 25, 2004
    Posts:
    14
    The package has been sent. I will be looking forward to hearing the findings.
     
  12. Suzuko

    Suzuko Registered Member

    Joined:
    Mar 25, 2004
    Posts:
    14
    OK, Perfect Keylogger was on my PC. I thought it was all gone, and then I saw its icon at the bottom of a page I was working on. I have attached a cropped screenshot.

    I deleted all the files this program had installed out of the WINNT\System32 folder. Then the next day while browsing online, suddenly this Perfect Keylogger window - like the one I have attached below (only then it said Three Days, not Two) - appeared "out of nowhere."

    Today when the PC booted up, the PK window appeared on the desktop. I figured, what the heck, I'll see what it's about, and clicked the Continue Evaluation button, which caused the error message in the 3rd screenshot attached below.
     

    Attached Files:

  13. Suzuko

    Suzuko Registered Member

    Joined:
    Mar 25, 2004
    Posts:
    14
    Here's the 2nd screenshot:
     

    Attached Files:

  14. Suzuko

    Suzuko Registered Member

    Joined:
    Mar 25, 2004
    Posts:
    14
    Here's ss#3:
     

    Attached Files:

  15. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    The image in Internet Explorer is the Perfect Keylogger IE plugin, TDS should detect this. Make sure you have the latest databases, then scan and delete all trojans found as Keylog.Perfect
     
  16. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    With all do respect!!!!! but I would delete all trojans... ;)


    couldn't let this one slip...
     
  17. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    :D :D
     
Thread Status:
Not open for further replies.