Jump to content


Photo

gb.exe dialer


  • Please log in to reply
1 reply to this topic

#1 b-e-n

b-e-n

    Member

  • New Member
  • Pip
  • 2 posts

Posted 15 July 2004 - 09:19 PM

Hi, I had a couple of pop-ups appear whilst browsing and then Sygate personal firewall asked for permission for gb.exe located in the download program files. I declined it but my dialup modem hung up by itself anyway and started redialing a different number than usual (I could tell by the sound). Computer wouldn't respond to ctrl-alt-delete or anything and I pressed the reboot button before it finished dialing. I've scanned with the latest updates of spybot 1.3 / adaware / The Cleaner & AVG (full system scans with the last 2), nothing showed up.
The hijackthis log is:

-----------------------------------------------------------------------------------

Logfile of HijackThis v1.98.0
Scan saved at 12:07:34 am, on 16/07/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\BEN\PROGRAMS\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [TClockEx] C:\WINDOWS\DESKTOP\BEN\PROGRAMS\TCLOCKEX\TCLOCKEX.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Add to Ad Hunter - C:\PROGRAM FILES\MAXTHON\config/blacklist.htm
O8 - Extra context menu item: &Download Flash Files - C:\PROGRA~1\LEESOFT\FLASHH~1\save.htm
O8 - Extra context menu item: Add to my&Favorites - C:\Program Files\myFavorites\myFavorites.hta
O8 - Extra context menu item: Save Flash - res://C:\PROGRAM FILES\UNH SOLUTIONS\FLASH SAVING PLUGIN\FLASHSBUTTON.DLL/210
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Save Picture - res://C:\PROGRAM FILES\UNH SOLUTIONS\SAVEPICNOASK LIGHT\SPNAL.EXE/130
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Dell Home - {3561C7A0-A387-11D4-9569-90656FC101FF} - http://www.euro.dell...gen/default.htm (file missing) (HKCU)
O9 - Extra button: myFavorites - {FFF058AF-4697-4ad6-ADB1-82965C8C027F} - C:\Program Files\myFavorites\myFavorites.hta (HKCU)
O9 - Extra 'Tools' menuitem: myFavorites - {FFF058AF-4697-4ad6-ADB1-82965C8C027F} - C:\Program Files\myFavorites\myFavorites.hta (HKCU)
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - (no file) (HKCU)
O9 - Extra button: (no name) - {BC8FABCD-8649-4eef-89DB-C012144ADFB1} - C:\PROGRAM FILES\UNH SOLUTIONS\SAVEPICNOASK LIGHT\SPNAL.EXE (HKCU)
O9 - Extra 'Tools' menuitem: SavePicNoAsk Light - {BC8FABCD-8649-4eef-89DB-C012144ADFB1} - C:\PROGRAM FILES\UNH SOLUTIONS\SAVEPICNOASK LIGHT\SPNAL.EXE (HKCU)
O12 - Plugin for .zip: C:\Program Files\Opera75\PLUGINS\NPLeechGet.dll
O12 - Plugin for .exe: C:\Program Files\Opera75\PLUGINS\NPLeechGet.dll
O12 - Plugin for .chm: C:\Program Files\Opera75\PLUGINS\NPLeechGet.dll
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) -
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro....er/PROFILER.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtec...ntrol_en_US.cab
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://69.57.146.110/b/gb.chm::/gb.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 127.0.0.1
O18 - Protocol: msref - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - C:\PROGRA~1\COMMON~1\MICROS~1\REFERE~1\MSREF.DLL

--------------------------------------------------------------------------------

After the hijackthis scan I removed item:
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://69.57.146.110/b/gb.chm::/gb.exe

and all suspicious files from the IE cache, including gb.exe.

Apart from that entry the log looks the same as I remember it (I think) from before, although the 017 & 018 items are from more recent weeks.
Looking at 'http://hometown.aol....al/tutorial.htm' it says to delete 018, but I'm not sure about 017.
Thanks in advance, Ben.

#2 b-e-n

b-e-n

    Member

  • New Member
  • Pip
  • 2 posts

Posted 16 July 2004 - 11:50 AM

I also remembered that I removed a dialup connection via internet options-connections. I can't remember the exact name but it was 4 capital letters PX??.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button