• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Sharizod

New Spy/Ad Ware?

7 posts in this topic

I have come across what seems to be a new piece of spyware/adware. The Win98

client is bombarded with ads for everything from kaaza to viagara at seemingly

random intervals (but seems to happen when browsing to a new site). There is

only one process that *appears* to be loading but there may be one or two

others. The name of the process that is autoloading via the RUn key in the

registry is called "ABRPC.EXE". There are two other files (GENERAL.IDF &

CPRBA.INI) in C:\Windows\Config along with ABRPC.EXE.

 

When looking at the tasklist, nothing can be seen. You can only see it with a

process viewer with the ability to iterate all top-level process windows.

I also did a search for anything resembling Sysupd.exe as I know that to

be a backdoor. A file Sysupd[2].exe did exist in a temp internet folder,

but I could find no obvious hooks into the system nor could I find any

references to sysupd.exe where this supposed back door hooks into.

 

The classname of the ABRPC.EXE file is: SysUpdClass

The Caption of its top-level window is: SysUpdShadowProcessing

 

Thanks In Advance for any help.

Sharizod :wtf:

 

Stats on files:

 

The trojan/spy/adware culprit..

 

Filename: ABRPC.EXE

Size: 166912

Date: July 3, 2004

Time: 10:07a

 

This may be some sort of cfg file?

 

Filename: General.IDF

Size: 654

Date: April 23, 1999

Time: 10:22p

 

This appears to be a log file of some sort since it is being constantly written

to???

 

Filename: CPRBA.INI

Size: 199788

Date: July 5,2004

Time: 11:49

Share this post


Link to post
Share on other sites

If I remember my Win9x correctly; GENERAL.IDF is the only file that belongs in C:\Windows\Config it the configuration file for MIDI definitions; The other two you list are baddies, but being generate from???. Almost impossible to say without a HJT log. Have them clear out all temps and TIF's see if that helps. If not get a HJT log and post it back to this thread.

Edited by jwbirdsong

Share this post


Link to post
Share on other sites

Hi there.

 

Yea I did a search after posting ion the other files. The only one

returning hits was general.idf so I know that file is valid at least. As

for HijackThis, where can I get it where the download does not freeze

up on me? (I am using another machine that is not spyware ridden and

is free of virus infection.)

 

I have tried download.com and zdnet.com to no avail. www.spywareinfo.com was

no help either.

 

TIA

Edited by Sharizod

Share this post


Link to post
Share on other sites

Here is the Hijack log for the PC in question... Thanks for your replies thus far

jwsongbird! Funny, the process viewer I was using did not show me msgsrv32,

kernel, wmiexe running? Hmmph, and I thought it showed me ALL windows...

Anyway, I recognize some of those BHO's as being spyware! I did a complete

search and spybot turned up nothing. That ABRPC process remains however.

It isn't a big deal since the PC is going to be formatted anyway, but I just wanted to

know if I had potentially stumbled on a new malware/spy program?

 

Many thanks,

Shar

 

 

Logfile of HijackThis v1.98.0

Scan saved at 4:45:13 PM, on 07/05/2004

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE

C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE

C:\WINDOWS\RUNDLL2.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\CONFIG\ABRPC.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

F1 - win.ini: load=rundll2.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL (file missing)

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL (file missing)

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O2 - BHO: Var1Helper Class - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINDOWS\SYSTEM\INETDCTR.DLL

O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.ExE

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\SYSTEM\idctup20.exe

O4 - HKLM\..\Run: [sysUpd] C:\WINDOWS\SYSUPD.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [ABRPC] C:\WINDOWS\CONFIG\ABRPC.EXE

O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe

O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Share this post


Link to post
Share on other sites

Move HijackThis to it's own permanent folder such as c:\HJT\HijackThis.exe <-----Very important; needed to keep/maintain backups in

 

Press Ctrl+Alt+Del and 'end task' on any of the follow that are present

C:\WINDOWS\CONFIG\ABRPC.EXE

C:\WINDOWS\RUNDLL2.EXE

 

Put a check next to these in hijackthis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

F1 - win.ini: load=rundll2.exe

O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL (file missing)

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL (file missing)

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL (file missing)

O2 - BHO: Var1Helper Class - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINDOWS\SYSTEM\INETDCTR.DLL

O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL (file missing)

O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\SYSTEM\idctup20.exe

O4 - HKLM\..\Run: [sysUpd] C:\WINDOWS\SYSUPD.EXE

O4 - HKLM\..\Run: [ABRPC] C:\WINDOWS\CONFIG\ABRPC.EXE

 

THEN WITH ALL OTHER WINDOWS CLOSED ,press "Fix".

 

 

Make sure you are set to Show Hidden Files and Folders and delete the following files/folders:-

C:\WINDOWS\CONFIG\ABRPC.EXE

C:\WINDOWS\RUNDLL2.EXE

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)

[*]C:\Windows\Temp\

[*]C:\Temp\

[*]Empty your "Recycle Bin"

[*]Empty you TIF by Control Panel>Internet Options>General(tab)>Delete files(button)>check box to "remove all off line content">OK>Apply

 

Then Reboot and post a fresh log back to this thread.

 

As far as new spyware.....spyware==yes; new==sorry

 

:unsure:

Share this post


Link to post
Share on other sites

Thanks for the info on how to remove it. I do know HOW to remove it, I was just

wondering if anyone knows what ABRPC.EXE is!? I have never seen it before,

spybot S&D does NOT pick it up, and I haven't been able to find anything on it

anywhere on the internet (Altavista, Google, or Metacrawler).

 

As far as idctup20.exe, that is a new memory-resident application that ships with

Spybot S&D 1.3 that blocks all bad internet pages (in its list) automatically. I have

already formatted this system so it is clean, but if anyone does know what piece

of spy/trojan software abrpc.exe is associated with, do let us all know!

Rundll2.exe is a memory resident program I created to prevent the installation

or reconfiguration of programs on that PC (win9x and by nature, insecure).

 

Thanks for all the help

 

Regards,

Sharizod.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0