Well-hidden virus or dialer?

Discussion in 'adware, spyware & hijack cleaning' started by Black Scholes, Feb 12, 2004.

Thread Status:
Not open for further replies.
  1. Black Scholes

    Black Scholes Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    15
    Hey guys -

    I have a problem I think with some type of lingering trojan or backdoor dialler. I initially picked up some viruses about 2-3 months ago, and with the help of this forum and some other tools eradicated everything - or so I thought.

    The problem is this: when I open a browser (Internet Explorer), a second one opens that I can't see. I can only tell when I Ctl/Alt/Del (I'm running W9:cool: to check the Task Manager and see a blank application entry; if I quickly close my browser and Ctl/Alt/Del I will catch an "iexplorer" window still open.

    How can I figure out what's going on? I've run every anti-virus program I know of and I've taken care of everything they've found. The only application that's spotted something I'm not sure about is SpyHunter (I'm only running the free trial at present). SpyHunter shows
    1. Netratings.
    HKEY_LOCAL_MACHINE.
    HKEY_CURRENT_USER\SOFTWARE\HKEY_LOCAL_MACHINE
    2. AcroIEHelper.
    AcroIEHelper.AcroIEHlprObj
    HKEY_CLASSES_ROOT\AcroIEHelper.AcroIEHlprObj
    3. AcroIEHelper
    AcroIEHelper.AcroIEHlprObj.1
    HKEY_CLASSES_ROOT\AcroIEHelper.AcroIEHlprObj.1
    If this is something that needs to be addressed, do I upgrade and buy the software to fix it?

    There was another indication from a different anti-virus program that there were some questionable files in Acrobat, but I can't find my notes on it at the moment.

    I'm also attaching a copy of Hijack This that I ran this afternoon.

    Logfile of HijackThis v1.97.7
    Scan saved at 4:13:51 PM, on 2/12/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\POPUP KILLER\POPUPKILLER.EXE
    C:\WINDOWS\SYSTEM\SKDAEMON.EXE
    C:\WINDOWS\SYSTEM\PRPCUI.EXE
    C:\WINDOWS\SYSTEM\PELMICED.EXE
    C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
    C:\WINDOWS\SYSTEM\SKSMAILD.EXE
    C:\PROGRAM FILES\MICROSOFT BROADBAND NETWORKING\MSBNTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WORKPAD\PALM.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\ONTRACK\POWERDESK\PDEXPLO.EXE
    C:\WINDOWS\TEMP\~~PDTEMP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_0_8_6.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_0_8_6.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [IrMon] IrMon.exe
    O4 - HKLM\..\Run: [PopUpKiller] C:\PROGRAM FILES\POPUP KILLER\POPUPKILLER.EXE
    O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
    O4 - HKLM\..\Run: [gnetmous] C:\Screen Scroller\gnetmous.exe
    O4 - HKLM\..\Run: [ALiUSBfix] C:\WINDOWS\SYSTEM\GREENMK.exe
    O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
    O4 - HKLM\..\Run: [ATOMIC.EXE] C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O4 - Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: MktBrowser (HKLM)
    O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
    O9 - Extra button: Katiesoft (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20011217/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37871.0860069444
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://download.yahoo.com/dl/bookmarks/ybconvfav030408.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-3.ibm.com/pc/support/IbmEgath.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/downloads/su/ocx/12119/CTSUEng.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.com/support/downloads/su/ocx/12119/CTPID.cab
    O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://www.globalchat.com/custom/nativeclient/msichat.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab


    I know this is very, very long, so thank you all for your time. I don't know if there is a worm or e-mailer that is using my computer through some port I can't see or what, but I would be so grateful for any help or opinions. This is really wearing on me. Thanks again.
     
  2. Black Scholes

    Black Scholes Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    15
    Re:Help with suspected spyware / dialler / e-mailer??

    FWIW - I found spam in my filter that I had apparently sent to myself. So I guess there is in fact something on my computer that is pretty well hidden.
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Black Scholes,

    The Acrobat Reader BHO is perfectly OK and a known false positive of SpyHunter.

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O9 - Extra button: MktBrowser (HKLM)
    O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)

    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab

    Then reboot and find this file:
    C:\WINDOWS\SYSTEM\SKSMAILD.EXE
    rightclick it, choose properties and let us know what it says o0n the version tab.

    Spybot - Search & Destroy and AdAware are better altenatives for SpyHunter IMO.

    Regards,

    Pieter
     
  4. Black Scholes

    Black Scholes Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    15
    Pieter -

    I ran Hijack This and did the fixes as you suggested (Market Browser should have been originally software from the Wall Street Journal but I never used it anyway).

    "Sksmaild.exe" is related to my IBM Media Access Keyboard I think. The version information is as follows: File Version 1,0,1,3. Description Simple MAPI Client Daemon. Copyright Silitek Corp 1999-2000.

    I do agree on Spy Hunter, I'm just trying everything I can at this point. What do you think about the "AcroIEHelper"? Could that be a problem, or is that just a false positive to get people to buy the software?

    I did run another anti-virus program that said it found a virus called "child.dll". The program should have deleted it.

    Regardless, I seem to still have an unidentified window open, which I'm pretty sure is an Internet Explorer app.

    I'm open to any suggestions. I can't believe this is so hard to find.

    Thank you for all of your help.
     
  5. Black Scholes

    Black Scholes Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    15
    Pieter -

    To follow is a current copy of a Hijack this scan, in case it helps. Thanks again.


    Logfile of HijackThis v1.97.7
    Scan saved at 3:37:53 AM, on 2/14/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\POPUP KILLER\POPUPKILLER.EXE
    C:\WINDOWS\SYSTEM\SKDAEMON.EXE
    C:\WINDOWS\SYSTEM\PRPCUI.EXE
    C:\WINDOWS\SYSTEM\PELMICED.EXE
    C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
    C:\PROGRAM FILES\MEMENTO\MEMENTO.EXE
    C:\PROGRAM FILES\MICROSOFT BROADBAND NETWORKING\MSBNTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\SKSMAILD.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\THE CLEANER\CLEANER.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\MY DOWNLOADS\HIJACKTHIS.EXE
    C:\MY DOWNLOADS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com
    O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_0_8_6.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.107-deleon.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_0_8_6.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.107-deleon.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [IrMon] IrMon.exe
    O4 - HKLM\..\Run: [PopUpKiller] C:\PROGRAM FILES\POPUP KILLER\POPUPKILLER.EXE
    O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
    O4 - HKLM\..\Run: [gnetmous] C:\Screen Scroller\gnetmous.exe
    O4 - HKLM\..\Run: [ALiUSBfix] C:\WINDOWS\SYSTEM\GREENMK.exe
    O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
    O4 - HKLM\..\Run: [SpyStopper] C:\PROGRAM FILES\SPYSTOPPER\spystopper.exe
    O4 - HKLM\..\Run: [ATOMIC.EXE] C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O4 - Startup: Memento.lnk = C:\Program Files\Memento\Memento.exe
    O4 - Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.107-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.107-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.107-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.107-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.107-DELEON.DLL/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Katiesoft (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20011217/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37871.0860069444
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://download.yahoo.com/dl/bookmarks/ybconvfav030408.cab
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-3.ibm.com/pc/support/IbmEgath.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/downloads/su/ocx/12119/CTSUEng.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.com/support/downloads/su/ocx/12119/CTPID.cab
    O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://www.globalchat.com/custom/nativeclient/msichat.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab
     
  6. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Black Scholes,

    Do you hear an extra click when that windows opens?

    or do you see it for just a second where it just dissapears?

    There is no way to open and maximize that window or to rightclick it inside and check for properties?

    Let's start with these two additional scanners that you can try, see if they come up with anything :

    BitDefender

    and

    TrendMicro

    Keep us posted,

    Cheers,
     
  7. Black Scholes

    Black Scholes Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    15
    I'll try Bit Defender Unzy. I've used Trend Micro and it's good but it hasn't found this one.

    I do hear double clicks when I'm using my IE and that's bothered me.

    I found two pieces of spam in my inbox this morning with my e-mail address as the sender (it's not a common name). I don't know the terminology, but I'm definitely being used by someone and it's freaking me out. I can't believe I can't find this on my system.

    I'll get back to you with the results. Thank you.
     
  8. Black Scholes

    Black Scholes Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    15
    BitDefender didn't find anything.

    I'm open to any other suggestions.

    Does anyone have any ideas? I'll try anything.

    Thanks.
     
  9. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi BlackScholes,

    You might want to try downloading and installing the demo of PortExplorer from here

    http://www.diamondcs.com.au/portexplorer/downloads/pedemosetup.exe

    You want to play particular attention to the "Remote" tab and look for anything that is out of place (remote points that cannot be explained by intended browser or email activity). Also, you should look at the "Listening" section to look for things seeming out of place there
     
  10. Black Scholes

    Black Scholes Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    15
    Thanks for the reply Dan.

    I had downloaded Port Explorer along with TDS the other day; I've got it open but I frankly don't know what I'm looking at.

    I closed down my open IE and immediately did Ctl/Alt/Del and caught an iexplorer before it could close. But the Task Manager on W98 doesn't give you any information.

    What should I be looking for?

    Thanks for your patience.
     
  11. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Black Scholes,

    Okay, starting with the entries on the "Remote" tab (since it is the shorter list).

    You want to right-click on each entry and use the following queries

    - Resolve <remote address IP>

    - If the above does not give you a good clue to the identity of the remote host you might also do Whois <remote address IP>

    Between knowing what application is going to whatever external host and knowing the identity of the external host you should be able to eliminate many if not all of these entries as legitimate connections that you need not be concerned with. However, if an application is open that you are unaware of that is not a good sign, or if a program you know is open is accessing a host that you did not tell it to access that is also not good.

    Likewise the ports in use could offer clues but sometimes it is the source port that offers the clue and sometimes the remote port. (You can query on these from the right-click menu as well). If there is any entry that you are unsure of you can set PE to spy on that socket (from the right-click menu go to "Socket -> Enable Spying") and then you can start viewing the data traversing the socket by pressing Ctrl+S

    You should keep in mind that some malware will not try to maintain a connection but will only connect at intervals.

    With regard to the listening tab in PE, there are fewer clues to guide you, mainly just seeing which ports are listening and which applications are "tied" to them. If an item there is shown in red, this means that it is running "hidden" which many malware components will do but it might also be a legitimate app running in the systray (if you enable any systray menu for the respective app you might see the entry change from red to black as long as the menu shows)

    I hope this helps. You can, if you feel comfortable with it, post a screenshot of what you see or use the File -> Save Table feature to post a log but please make sure to edit/mark out any identifying IPs for your own machine so as to preserve your privacy.
     
  12. Black Scholes

    Black Scholes Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    15
    Dan - thanks for the ideas and I'm working on those.

    However - I think I found the problem. It is a file called "Child.dll" and I think it's a known spammer virus.

    My problem now is that my computer won't let me delete it. It says "The specified file is in use".

    Any suggestions as to how I can delete it? Apparently the anti-virus people know about it, but it doesn't show up on any of the scans for some reason.

    Thanks.
     
  13. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi again,

    Start the PC in SAFE MODE : Here's how

    Then find child.dll and delete it.

    You might wanna put a copy of the dll on a floppy, just in case it turned out to be a legit file and some prog is asking for it.

    Cheers,
     
  14. Black Scholes

    Black Scholes Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    15
    Thanks Unzy.

    What about putting it in a zip file so I could send it to the AV folks? Or is it still a dangerous file?
     
  15. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
  16. Black Scholes

    Black Scholes Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    15
    Unzy and sig - I just want to confirm that I just need to delete the file in Safe Mode. I don't need to get into the registry or anything else do I?
     
  17. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    As the mynetwatchman site notes:

    This is tricky stuff, since there can be valid child.dll's as well as bad ones as noted. Check the location and date of the file since possibly the more or most recent file may be a clue to what's going on. Before you delete a file, back it up so it's available in case it turns out to be legit. Also search the registry to see where it appears, if it looks like a start up entry like mynetwatchman wrote about, and back up the registry also before you delete the reg entry.

    (Also you mentioned you had TDS, I suppose you previously ran scans with an updated TDS and came up with nothing? Also although you mention using various AV's before did you specifically try Symantec's AV or online scan since according to the quote above it may be covered, although again you probably have to delete in safe mode as noted. If you already have, then I guess manual surgery is the alternative. eek!)

    Best of luck!
     
  18. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    The advice to scan in Safe Mode is a good one. I would definitely try your virus scanner in Safe Mode, because it might find other tidbits as well as the child.dll file. I haven't tried Spybot sd in safe mode, but this might be another thing to try.

    Best o' luck!
    :D
     
  19. Black Scholes

    Black Scholes Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    15
    So here's the update.

    I was finally able to delete the child file in Safe Mode (which I would have never figured out on my own). Unfortunately, it did not address my immediate malware problem as I still apparently have an "iexplore" program running in the background out of my control.

    I initially found reference to the child file while running Trojan Hunter; it was the only one that ID'd it but only said it might be a trojan so it would not delete it.

    I'm kind of worn out on this, but I imagine I'll be back to eventually figure this out.

    I want to thank everyone for their time and effort. I very much appreciate the input.

    One final question - why should I run the av porgrams in Safe Mode? What are the advantages to that?

    Thanks again.
     
  20. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    It's frequently recommended to run an AV in safe mode so that it can delete a file/process that doesn't run in safe mode. Since it sometimes cannot delete a file that is a process already running when the pc is booted all the way into normal mode. This is sometimes the case with trojans. (Also, AV's are not the same as anti-trojan apps which are specifically designed to detect and remove trojans.)

    Also, did you try looking for in the registry for the reg key mynetwatchman mentioned? If what you have is indeed related to what he documented, only deleting the file itself would not be enough.
     
  21. Black Scholes

    Black Scholes Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    15
    Thanks for the explanation sig. I did delete that key as well.

    I completely forgot that I had lost my copy of Ad-Aware a while back. Downloaded it and it found something call H-Wire or some such.

    Just hard to stay on top of this stuff.
     
Thread Status:
Not open for further replies.