Jump to content


Photo

New Spy/Ad Ware?


  • Please log in to reply
6 replies to this topic

#1 Sharizod

Sharizod

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 05 July 2004 - 11:24 AM

I have come across what seems to be a new piece of spyware/adware. The Win98
client is bombarded with ads for everything from kaaza to viagara at seemingly
random intervals (but seems to happen when browsing to a new site). There is
only one process that *appears* to be loading but there may be one or two
others. The name of the process that is autoloading via the RUn key in the
registry is called "ABRPC.EXE". There are two other files (GENERAL.IDF &
CPRBA.INI) in C:\Windows\Config along with ABRPC.EXE.

When looking at the tasklist, nothing can be seen. You can only see it with a
process viewer with the ability to iterate all top-level process windows.
I also did a search for anything resembling Sysupd.exe as I know that to
be a backdoor. A file Sysupd[2].exe did exist in a temp internet folder,
but I could find no obvious hooks into the system nor could I find any
references to sysupd.exe where this supposed back door hooks into.

The classname of the ABRPC.EXE file is: SysUpdClass
The Caption of its top-level window is: SysUpdShadowProcessing

Thanks In Advance for any help.
Sharizod :wtf:

Stats on files:

The trojan/spy/adware culprit..

Filename: ABRPC.EXE
Size: 166912
Date: July 3, 2004
Time: 10:07a

This may be some sort of cfg file?

Filename: General.IDF
Size: 654
Date: April 23, 1999
Time: 10:22p

This appears to be a log file of some sort since it is being constantly written
to???

Filename: CPRBA.INI
Size: 199788
Date: July 5,2004
Time: 11:49

#2 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 05 July 2004 - 11:57 AM

If I remember my Win9x correctly; GENERAL.IDF is the only file that belongs in C:\Windows\Config it the configuration file for MIDI definitions; The other two you list are baddies, but being generate from???. Almost impossible to say without a HJT log. Have them clear out all temps and TIF's see if that helps. If not get a HJT log and post it back to this thread.

Edited by jwbirdsong, 05 July 2004 - 11:57 AM.

Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#3 Sharizod

Sharizod

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 05 July 2004 - 12:41 PM

Hi there.

Yea I did a search after posting ion the other files. The only one
returning hits was general.idf so I know that file is valid at least. As
for HijackThis, where can I get it where the download does not freeze
up on me? (I am using another machine that is not spyware ridden and
is free of virus infection.)

I have tried download.com and zdnet.com to no avail. www.spywareinfo.com was
no help either.

TIA

Edited by Sharizod, 05 July 2004 - 12:42 PM.


#4 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 05 July 2004 - 12:51 PM

See if you can get it from one of the links below:

http://209.133.47.12.../HijackThis.exe
http://www.spywarein.../HijackThis.exe
http://www.downloads.../hijackthis.zip
http://tools.zerosrealm.com/hjt.zip
http://tomcoyote.com/hjt/

Edited by jwbirdsong, 05 July 2004 - 12:53 PM.

Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#5 Sharizod

Sharizod

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 05 July 2004 - 04:01 PM

Here is the Hijack log for the PC in question... Thanks for your replies thus far
jwsongbird! Funny, the process viewer I was using did not show me msgsrv32,
kernel, wmiexe running? Hmmph, and I thought it showed me ALL windows...
Anyway, I recognize some of those BHO's as being spyware! I did a complete
search and spybot turned up nothing. That ABRPC process remains however.
It isn't a big deal since the PC is going to be formatted anyway, but I just wanted to
know if I had potentially stumbled on a new malware/spy program?

Many thanks,
Shar


Logfile of HijackThis v1.98.0
Scan saved at 4:45:13 PM, on 07/05/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\RUNDLL2.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\CONFIG\ABRPC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
F1 - win.ini: load=rundll2.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL (file missing)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Var1Helper Class - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINDOWS\SYSTEM\INETDCTR.DLL
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\SYSTEM\idctup20.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ABRPC] C:\WINDOWS\CONFIG\ABRPC.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

#6 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 06 July 2004 - 09:13 AM

Move HijackThis to it's own permanent folder such as c:\HJT\HijackThis.exe <-----Very important; needed to keep/maintain backups in

Press Ctrl+Alt+Del and 'end task' on any of the follow that are present
C:\WINDOWS\CONFIG\ABRPC.EXE
C:\WINDOWS\RUNDLL2.EXE

Put a check next to these in hijackthis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
F1 - win.ini: load=rundll2.exe
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL (file missing)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL (file missing)
O2 - BHO: Var1Helper Class - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINDOWS\SYSTEM\INETDCTR.DLL
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL (file missing)
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\SYSTEM\idctup20.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [ABRPC] C:\WINDOWS\CONFIG\ABRPC.EXE

THEN WITH ALL OTHER WINDOWS CLOSED ,press "Fix".


Make sure you are set to Show Hidden Files and Folders and delete the following files/folders:-
C:\WINDOWS\CONFIG\ABRPC.EXE
C:\WINDOWS\RUNDLL2.EXE
Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)
[*]C:\Windows\Temp\
[*]C:\Temp\
[*]Empty your "Recycle Bin"
[*]Empty you TIF by Control Panel>Internet Options>General(tab)>Delete files(button)>check box to "remove all off line content">OK>Apply


Then Reboot and post a fresh log back to this thread.

As far as new spyware.....spyware==yes; new==sorry

:unsure:
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#7 Sharizod

Sharizod

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 09 July 2004 - 10:55 AM

Thanks for the info on how to remove it. I do know HOW to remove it, I was just
wondering if anyone knows what ABRPC.EXE is!? I have never seen it before,
spybot S&D does NOT pick it up, and I haven't been able to find anything on it
anywhere on the internet (Altavista, Google, or Metacrawler).

As far as idctup20.exe, that is a new memory-resident application that ships with
Spybot S&D 1.3 that blocks all bad internet pages (in its list) automatically. I have
already formatted this system so it is clean, but if anyone does know what piece
of spy/trojan software abrpc.exe is associated with, do let us all know!
Rundll2.exe is a memory resident program I created to prevent the installation
or reconfiguration of programs on that PC (win9x and by nature, insecure).

Thanks for all the help

Regards,
Sharizod.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button