• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
b-e-n

gb.exe dialer

2 posts in this topic

Hi, I had a couple of pop-ups appear whilst browsing and then Sygate personal firewall asked for permission for gb.exe located in the download program files. I declined it but my dialup modem hung up by itself anyway and started redialing a different number than usual (I could tell by the sound). Computer wouldn't respond to ctrl-alt-delete or anything and I pressed the reboot button before it finished dialing. I've scanned with the latest updates of spybot 1.3 / adaware / The Cleaner & AVG (full system scans with the last 2), nothing showed up.

The hijackthis log is:

 

-----------------------------------------------------------------------------------

 

Logfile of HijackThis v1.98.0

Scan saved at 12:07:34 am, on 16/07/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\DESKTOP\BEN\PROGRAMS\HIJACK THIS\HIJACKTHIS.EXE

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui

O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

O4 - HKLM\..\RunServices: [smcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE

O4 - HKCU\..\Run: [TClockEx] C:\WINDOWS\DESKTOP\BEN\PROGRAMS\TCLOCKEX\TCLOCKEX.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm

O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm

O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm

O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm

O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm

O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm

O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm

O8 - Extra context menu item: Add to Ad Hunter - C:\PROGRAM FILES\MAXTHON\config/blacklist.htm

O8 - Extra context menu item: &Download Flash Files - C:\PROGRA~1\LEESOFT\FLASHH~1\save.htm

O8 - Extra context menu item: Add to my&Favorites - C:\Program Files\myFavorites\myFavorites.hta

O8 - Extra context menu item: Save Flash - res://C:\PROGRAM FILES\UNH SOLUTIONS\FLASH SAVING PLUGIN\FLASHSBUTTON.DLL/210

O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html

O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html

O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html

O8 - Extra context menu item: Save Picture - res://C:\PROGRAM FILES\UNH SOLUTIONS\SAVEPICNOASK LIGHT\SPNAL.EXE/130

O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR1.DLL/cmsearch.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR1.DLL/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR1.DLL/cmsimilar.html

O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR1.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR1.DLL/cmtrans.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Dell Home - {3561C7A0-A387-11D4-9569-90656FC101FF} - http://www.euro.dell.com/countries/uk/enu/gen/default.htm (file missing) (HKCU)

O9 - Extra button: myFavorites - {FFF058AF-4697-4ad6-ADB1-82965C8C027F} - C:\Program Files\myFavorites\myFavorites.hta (HKCU)

O9 - Extra 'Tools' menuitem: myFavorites - {FFF058AF-4697-4ad6-ADB1-82965C8C027F} - C:\Program Files\myFavorites\myFavorites.hta (HKCU)

O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - (no file) (HKCU)

O9 - Extra button: (no name) - {BC8FABCD-8649-4eef-89DB-C012144ADFB1} - C:\PROGRAM FILES\UNH SOLUTIONS\SAVEPICNOASK LIGHT\SPNAL.EXE (HKCU)

O9 - Extra 'Tools' menuitem: SavePicNoAsk Light - {BC8FABCD-8649-4eef-89DB-C012144ADFB1} - C:\PROGRAM FILES\UNH SOLUTIONS\SAVEPICNOASK LIGHT\SPNAL.EXE (HKCU)

O12 - Plugin for .zip: C:\Program Files\Opera75\PLUGINS\NPLeechGet.dll

O12 - Plugin for .exe: C:\Program Files\Opera75\PLUGINS\NPLeechGet.dll

O12 - Plugin for .chm: C:\Program Files\Opera75\PLUGINS\NPLeechGet.dll

O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) -

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/s...er/PROFILER.CAB

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab

O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://69.57.146.110/b/gb.chm::/gb.exe

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 127.0.0.1

O18 - Protocol: msref - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - C:\PROGRA~1\COMMON~1\MICROS~1\REFERE~1\MSREF.DLL

 

--------------------------------------------------------------------------------

 

After the hijackthis scan I removed item:

O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://69.57.146.110/b/gb.chm::/gb.exe

 

and all suspicious files from the IE cache, including gb.exe.

 

Apart from that entry the log looks the same as I remember it (I think) from before, although the 017 & 018 items are from more recent weeks.

Looking at 'http://hometown.aol.co.uk/jrmc137/hjttutorial/tutorial.htm' it says to delete 018, but I'm not sure about 017.

Thanks in advance, Ben.

Share this post


Link to post
Share on other sites

I also remembered that I removed a dialup connection via internet options-connections. I can't remember the exact name but it was 4 capital letters PX??.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0