Free Malware Removal Forum

[brandy claws]

My PC is dissolving due to dirty spyware...I ran Ad-Aware, Spybot, Search & Destroy to no avail, and have now got myself the Hijackthis log below.
Any help would be VERY welcome!!!!
thanks

Logfile of HijackThis v1.99.1

Scan saved at 7:02:01 AM, on 12/28/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)



Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\MacOpener\FORMATM.EXE

C:\WINNT\system32\regsvc.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\Mediafour\MacDrive\MDShell.exe

C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe

C:\WINNT\system32\svchost.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINNT\system32\icasServ.exe

C:\WINNT\system32\rundll32.exe

C:\WINNT\system32\internat.exe

C:\WINNT\system32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe

C:\WINNT\system32\sywsvcs.exe

C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe

C:\Program Files\MacOpener\MacName.exe

C:\WINNT\system32\wuauclt.exe

C:\WINNT\explorer.exe

C:\WINNT\system32\drwtsn32.exe

\192.168.254.161\what\Rik\HijackThis.exe

\192.168.254.161\what\Rik\hijackthis\HijackThis.exe



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1.UK\LOCALS~1\Temp\se.dll/space.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1.UK\LOCALS~1\Temp\se.dll/space.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.254.6:4480

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5A735D13-F26E-4DBE-A3D1-676571607056} - C:\WINNT\system32\keea.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [MDShell] "C:\Program Files\Mediafour\MacDrive\MDShell.exe" /S

O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [Matrox PowerDesk 8] C:\WINNT\system32\PowerDesk8\Matrox.PowerDesk.exe /silent

O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\MacOpener\MacLic.exe"

O4 - HKLM\..\Run: [windesktop] C:\WINNT\system32\windesktop.exe

O4 - HKLM\..\Run: [icasServ] C:\WINNT\system32\icasServ.exe

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1.UK\LOCALS~1\Temp\se.dll,DllInstall

O4 - HKLM\..\RunServices: [windesktop] C:\WINNT\system32\windesktop.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [aupd] C:\WINNT\system32\sywsvcs.exe

O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: MacName.lnk = C:\Program Files\MacOpener\MacName.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O18 - Filter: text/html - {CDCA7CAF-DEE9-42F8-93CD-EEA3BEEC72CB} - C:\WINNT\system32\keea.dll

O18 - Filter: text/plain - {CDCA7CAF-DEE9-42F8-93CD-EEA3BEEC72CB} - C:\WINNT\system32\keea.dll

O20 - Winlogon Notify: dvd4free - C:\WINNT\SYSTEM32\dvd4free.dll

O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: MacFormatService - Unknown owner - C:\Program Files\MacOpener\FORMATM.EXE" /SERVICE (file missing)

O23 - Service: MGAFGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgafg.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SpywareCleanerService - Secure Computer, LLC - C:\Program Files\Spyware Cleaner\SCService.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

[Kimberly]

Hello brandy claws and welcome,

Your computer has an about blank infection running and some other nasties. There is one entry in your log that might be a variant of the W32/Sdbot family and I would like more info about that file.

Log:
O4 - HKLM\..\Run: [windesktop] C:\WINNT\system32\windesktop.exe

Make sure that you can see hidden files.

1. Click Start.
2. Click My Computer.
3. Select the Tools menu and click Folder Options.
4. Select the View Tab.
5. Under the Hidden files and folders heading select Show hidden files and folders.
6. Uncheck the Hide protected operating system files (recommended) option.
7. Click Yes to confirm.
8. Uncheck the Hide file extensions for known file types.
9. Click OK.

______________________________

Submit the file C:\WINNT\system32\windesktop.exe to Jotti's scanner at:
http://virusscan.jotti.org/ Post the results here in the next reply.

Kim

[Kimberly]

I had a closer look at your log ...

You have a rogue spyware remover program installed :
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Spyware Cleaner


O4 - HKCU\..\Run: [aupd] C:\WINNT\system32\sywsvcs.exe
Trojan horse
Downloads code from the internet
Installs itself in the Registry


O4 - HKCU\..\Run: [internat.exe] internat.exe
If this isn't the legitimate file (the language selection icon in the tray), you find yourself with another trojan which can :
Turns off anti-virus applications
Allows others to access the computer
Modifies data on the computer
Steals information
Uses its own emailing engine


You have a very nasty infection still installed which may have stolen all your passwords, including banking passwords and sent them to an internet site.

This entry:
O20 - Winlogon Notify: dvd4free - C:\WINNT\SYSTEM32\dvd4free.dll

And there may be more hidden entries as well.

Before we continue, I urge you to protect your personal information. If you use this system for any financial transactions, go to your bank or credit card company etc and alert them to your situation. Change all that information so that others do not have access to your accounts and do not use this system for any transactions until you are clean.

You may want to format and reinstall the operating system. In your shoes, I would do that.

Let me know what your choice is.

Kim

[brandy claws]

Cheers for the info....being fairly computer incompetant it doesnt mean a hell of a lot to me but Im acting upon your suggestions.
Tried to submit that file you mentioned in your first post but it claimed the malware is stopping me doing so.
I dont use this machine for anything other than work (viewing and creating files) and bits of internet (email, myspace, bit of downloading - which is where this all came from I assume!) so security wise I should be fine.
I am using this machine on our network here at work...should I worry about that? Cant have internet without the network.
As for formatting anf reinstalling the operating system....not sure thats an option as I dont have access to the software I'll need ot do that.
Hope this isnt too stupid and confusing....

[Kimberly]

It isn't confusing, don't worry.

C:\WINNT\system32\windesktop.exe

Put the file in a rar or winzip archive and upload the file to:
http://www.thespykiller.co.uk/forum/index.php?board=1.0

You don't need to be a member, post a link to the topic here in the message and use the following as topic title windesktop.exe - attn Kimberly, so I know what we are talking about.

I am using this machine on our network here at work...should I worry about that? Cant have internet without the network.
As for formatting anf reinstalling the operating system....not sure thats an option as I dont have access to the software I'll need ot do that.

If I were you, I would disconnect the PC immediately from the network, the dvd4free.dll is already extremely serious in itself, if the other file is part of the W32/Sdbot family ... it could do serious damage. Is this computer a laptop that you use at work and home ?

Kim

[brandy claws]

Ok....I've found the file itself but dunno how to do the rar or winzip thing. Plus I cant access the internet unless Im connected to the network here. Would I be able to copy this file to the network and submit it to the other site from another machine?
The PC thats messed up is a desktop system for work only.
Im only gonna be able to stay in the building for another hour (alarms to be set and locking up to do so i cant make other staff wait aroudn for me). If you can get backto me soon again that'd be great! Dont mean to sound liek Im making demands...taken me all day to find you guys in the first place and Im very grateful for your help so far!

[brandy claws]

Ok....I've found the file itself but dunno how to do the rar or winzip thing. Plus I cant access the internet unless Im connected to the network here. Would I be able to copy this file to the network and submit it to the other site from another machine?
The PC thats messed up is a desktop system for work only.
Im only gonna be able to stay in the building for another hour (alarms to be set and locking up to do so i cant make other staff wait aroudn for me). If you can get backto me soon again that'd be great! Dont mean to sound liek Im making demands...taken me all day to find you guys in the first place and Im very grateful for your help so far!

[ChrisRLG]

Yes you can use another machine to do the email.

As you have win2k, you would need a seperate program - like winzip - to be able to zip up that file to send (winXP has its own built into windows).

Winzip has a evaluation copy you could use.

http://www.winzip.com/

7 zip - is also good and free.

http://www.7-zip.org/

Install one of those and use it to compress (zip) those files requested.

[Kimberly]

You'll need a program such as Winzip

http://www.winzip.com/downwzeval.htm

Install the trial version, open Winzip. Locate the file and drag it over the winzip window. A window will open. Uncheck the safe full path info, Click the new button, give a name to your zip archive and save it on the desktop. Upload the zip archive.

As soon as possible, I'll post a fix to clean up things. If you are leaving the office before I get back to you, disconnect the PC from the network untill you start to clean up. Most of the tools can be downloaded from another PC and you can bring them on a CD or USB key to the infected PC.

Edit : Chris did beat me on this one

[brandy claws]

Hey....I risked my suggestion of copying the file and uploading it from another machine....heres the results:

Service load:
0%     100%
File: windesktop.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

MD5 519fd3972499701079a5944a45a752c6
Packers detected:
-

Scanner results

AntiVir
Found Trojan/Proxy.Agent.DL.2

ArcaVir
Found Worm.Maslan.K

Avast
Found Win32:Trojano-2218

AVG Antivirus
Found Proxy.ATL

BitDefender
Found Win32.Worm.Maslan.K

ClamAV
Found Trojan.Eraser.B

Dr.Web
Found Trojan.MulDrop.3121

F-Prot Antivirus
Found dropper for W32/Proxy.JW

Fortinet
Found W32/Maslan.K-net

Kaspersky Anti-Virus
Found Net-Worm.Win32.Maslan.k

NOD32
Found a variant of Win32/TrojanDropper.Small.NBG

Norman Virus Control
Found W32/Maslan.H

UNA
Found nothing

VBA32
Found Net-Worm.Win32.Maslan.k

[Kimberly]

Make sure to delete that file on the other PC, don't leave it in the Recycle bin neither please.

Ok, not a Sbot variant, luckily ... I need a log before we start to fix because the dvd4free is / acts as a rootkit.

Download Blacklight Beta from here:
http://www.f-secure.com/blacklight/try.shtml

• Hit I accept. It will take you to download page.
• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number
  Please post contents of log.

Kim

[brandy claws]

Ok...heres that log you wanted:

<caron>?12/28/05 10:19:33 [Info]: BlackLight Engine 1.0.30 initialized

12/28/05 10:19:33 [Info]: OS: 5.0 build 2195 (Service Pack 4)

12/28/05 10:19:33 [Note]: 7019 4

12/28/05 10:19:33 [Note]: 7005 0

12/28/05 10:19:42 [Note]: 7006 0

12/28/05 10:19:42 [Note]: 7011 920

12/28/05 10:19:43 [Note]: 7018 1252

12/28/05 10:19:43 [Info]: Hidden process: C:\WINNT\system32\Emhiqhng.exe

12/28/05 10:19:43 [Note]: FSRAW library version 1.7.1014

12/28/05 10:20:06 [Info]: Hidden file: C:\WINNT\system32\drivers\nwr2.ies4

12/28/05 10:20:06 [Note]: 10002 1

12/28/05 10:20:13 [Info]: Hidden file: C:\WINNT\system32\dvd4free.dll

12/28/05 10:20:13 [Note]: 10002 1

12/28/05 10:20:13 [Info]: Hidden file: C:\WINNT\system32\dvdkernl.sys

12/28/05 10:20:13 [Note]: 10002 1

12/28/05 10:20:14 [Info]: Hidden file: C:\WINNT\system32\Emhiqhng.exe

12/28/05 10:20:14 [Note]: 10002 2



Other copy of the file has been chucked back onto infected PC and deleted there...no sign of it on our network...phew...

Im leaving VERY shortly! If theres anything I can do please tell me...mainly just worried that someone will find this tomorrow while Im not here!

Thanks so much for your help!

[brandy claws]

Ok...that looked wrong when I checked my post....hope this works this time:

12/28/05 10:19:33 [Info]: BlackLight Engine 1.0.30 initialized

12/28/05 10:19:33 [Info]: OS: 5.0 build 2195 (Service Pack 4)

12/28/05 10:19:33 [Note]: 7019 4

12/28/05 10:19:33 [Note]: 7005 0

12/28/05 10:19:42 [Note]: 7006 0

12/28/05 10:19:42 [Note]: 7011 920

12/28/05 10:19:43 [Note]: 7018 1252

12/28/05 10:19:43 [Info]: Hidden process: C:\WINNT\system32\Emhiqhng.exe

12/28/05 10:19:43 [Note]: FSRAW library version 1.7.1014

12/28/05 10:20:06 [Info]: Hidden file: C:\WINNT\system32\drivers\nwr2.ies4

12/28/05 10:20:06 [Note]: 10002 1

12/28/05 10:20:13 [Info]: Hidden file: C:\WINNT\system32\dvd4free.dll

12/28/05 10:20:13 [Note]: 10002 1

12/28/05 10:20:13 [Info]: Hidden file: C:\WINNT\system32\dvdkernl.sys

12/28/05 10:20:13 [Note]: 10002 1

12/28/05 10:20:14 [Info]: Hidden file: C:\WINNT\system32\Emhiqhng.exe

12/28/05 10:20:14 [Note]: 10002 2

[brandy claws]

Aaarrrggghhhh! i cant seem to get that log up[ (Im using a mac for each post here cos thats the only other machine I have...will that be why?)

I have to leave now or be loced in the building til morning. I dont have internet access elsewhere but will check back with you asap.

Thank you so much for all your help! Please continue to update this strand until I pick up where we left off.

thanks again

Rik

[Kimberly]

It's the carion between the brackets that messed up the post, I did edit it.

I'm writing a fix now and post it. When you arrive a work, you will be able to start fixing the PC.

Kim