Free Malware Removal Forum

[Gimble]

Hi, a relative of mine is having trouble with an infection that Spybot and Ad-Aware havn't been able to handle.

Logfile of HijackThis v1.99.1
Scan saved at 00:06:01, on 2006-02-23
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\WINDOWS\QmVuZ3Q\command.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program\NORTON~1\navapw32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\mssn.exe
C:\WINDOWS\System32\rundll32.exe
C:\windows\winsysban9.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ulrika\Skrivbord\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer till dig via Planetis
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EM_EXEC] C:\Program\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [ActivSurf] C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
O4 - HKLM\..\Run: [NECStartPage] C:\apps\HomePage\HomePgui.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Service] mssn.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd10.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban9.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames10.exe
O4 - HKLM\..\Run: [szlhdctn] C:\WINDOWS\System32\pdemdhro.exe
O4 - HKLM\..\Run: [SpamBlocker] C:\Program\SpamBlockerUtility\Bin\4.7.1.0\SbOEAddOn.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\Program\SPAMBL~1\Bin\471~1.0\SBInst.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program\SpamBlockerUtility\Bin\4.7.1.0\SbWeatherOnTray.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ykqiqc.exe reg_run
O4 - HKLM\..\RunServices: [Service] mssn.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DA35C03-EEB0-42E7-871A-65A66CE45CA5}: NameServer = 81.216.65.11,81.216.65.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2BE7D97-712D-423B-904A-2DF7D007281F}: NameServer = 81.216.65.11,81.216.65.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{0DA35C03-EEB0-42E7-871A-65A66CE45CA5}: NameServer = 81.216.65.11,81.216.65.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{0DA35C03-EEB0-42E7-871A-65A66CE45CA5}: NameServer = 81.216.65.11,81.216.65.12
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\ir86l5ls1.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QmVuZ3Q\command.exe
O23 - Service: hpdj - HP - C:\DOCUME~1\Bengt\LOKALA~1\Temp\hpdj.exe
O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

[Susan528]

Hello Gimble,

There are many infections on your computer.

http://securityresponse.symantec.com/av ... ass.e.html
Sends password information to the Trojan's author.

http://castlecops.com/o23list-1469.html
MicroSoft Media ToolsCommandMSMEDIA.EXEStatusXDescriptionAdded by the SDBOT.CUH WORM! Note: This worm file is found in the System32 folder. (NT/2000/XP) Read the link, rootkit type stealth involved.

• . Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.
  
• . Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  
• . From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
  
  Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.
  
  and what ever else seems appropriate.
  

We can likely clean the infected files off computer but we cannot be sure that the files involved didn't do anything to your system to reduce overall system security. You could be vulnerable to another attack as soon as you connect to net again. I personally would reinstall if this happend on my computer. Please let me know your intentions if those files turn out to be what I think they are.

Please perform the following in order to gather more info:

Blacklight

Download Blacklight Beta from here:
http://www.f-secure.com/blacklight/try.shtml

• Hit I accept. It will take you to download page.
• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of log.

[Gimble]

Thanks for your reply. Norton identifies the following infections:

W32.Spybot.Worm
Trojan.LowZones
Trojan.StartPage

The Blacklight log:

02/23/06 20:24:24 [Info]: BlackLight Engine 1.0.32 initialized
02/23/06 20:24:24 [Info]: OS: 5.1 build 2600 ()
02/23/06 20:24:25 [Note]: 7019 4
02/23/06 20:24:25 [Note]: 7005 0
02/23/06 20:24:36 [Note]: 7006 0
02/23/06 20:24:36 [Note]: 7011 2308
02/23/06 20:24:37 [Note]: 7024 1
02/23/06 20:24:37 [Note]: 7015 244
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Info]: Hidden process: Unknown process (pid:244)
02/23/06 20:24:37 [Note]: 7015 256
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Note]: 7015 500
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Note]: 7015 548
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Note]: 7015 936
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Note]: 7015 988
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Note]: 7015 1432
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Note]: 7015 1564
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Note]: 7015 1808
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Note]: 7015 2900
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Note]: 7015 3016
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Note]: 7015 3192
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Note]: 7015 3352
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Note]: 7015 3648
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Note]: 7015 3752
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Note]: 7015 3860
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Note]: 7015 3912
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Note]: 7024 1
02/23/06 20:24:37 [Note]: 7015 3928
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Info]: Hidden process: Unknown process (pid:3928)
02/23/06 20:24:37 [Note]: 7015 3992
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Note]: 7015 3996
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Note]: 7015 4204
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Note]: 7015 4264
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Note]: 7024 1
02/23/06 20:24:37 [Note]: 7015 5036
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Info]: Hidden process: Unknown process (pid:5036)
02/23/06 20:24:37 [Note]: 7015 5636
02/23/06 20:24:37 [Note]: 7015 5
02/23/06 20:24:37 [Note]: FSRAW library version 1.7.1015
02/23/06 20:25:35 [Note]: 7002 0
02/23/06 20:25:35 [Note]: 7003 1
02/23/06 20:25:35 [Note]: 7002 0
02/23/06 20:25:35 [Note]: 7003 1
02/23/06 20:25:35 [Note]: 7002 0
02/23/06 20:25:35 [Note]: 7003 1
02/23/06 20:30:40 [Note]: 7007 0

[Susan528]

You have hidden items as I feared. I would recommend to format and reinstall. If you do not want to do this, do not ever use the computer for anything confidential.

http://www.symantec.com/avcenter/venc/d ... .worm.html

F-Secure BlackLight found hidden items! What should I do?
Blacklight beta help

If your computer has actually been hacked, removing the hidden items might not be sufficient. Even after a careful clean up the hacker might still be able to access your computer after it has been compromised once. The removed malware may have changed the system in a way that is impossible to detect or restore. An added or changed user right is a typical example of such changes. Formatting all hard disks and re-installing the computer is the only foolproof way to eliminate this risk.

http://en.wikipedia.org/wiki/Rootkit

A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows. A computer with a rootkit on it is called a rooted computer.

Please let me know if you are planning to format and reinstall.

[Gimble]

Thanks for your kind help. I've spoken to my aunt (whos computer it is) and she's decided to go for a format/reinstall. I'll make sure that she'll get windows patched and a firewall properly installed this time. I'll also send her instructions on how to install and setup Spybot/Ad-Aware/ZoneAlarm.

[Susan528]

Hello Gimble,
I am glad you are helping out your aunt. I am also glad you have joined MRU.

Regards,
Susan

[Gimble]

I figured since I've somehow turned into the tech-support of the family, some learning would be appropriate.

Thread can be closed.

[NonSuch]

As this issue appears to be resolved, this topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.