Possible new spyware/worm
Results 1 to 5 of 5

Thread: Possible new spyware/worm

  1. August 1st, 2004, 07:59 PM #1
    Jeff the Brit
    Jeff the Brit is offline
    Registered User
    Join Date
    Aug 2000
    Location
    Saltburn, Cleveland, United Kingdom
    Posts
    632

    Possible new spyware/worm

    An odd case here:
    XP2600 box running XP Home SP1, IE6 wouldn't load, but was showing under processes in Task Manager, but only using 8Mb or so of memory.
    I cleaned off a lot of junk with Adaware and Spybot, installed AVG and got rid of everything it found, mostly trojans. IE6 still wouldn't load.
    Hijack This showed a funny file, msbl.exe in the log. Windows let me delete it but the file and the registry key were re-created on each boot.
    It turned out to be another file, mslb32.dll which was responsible for this. This file wouldn't delete. I only found the mslb32.dll file by looking at files in the system32 folder by date to see what else had the same date stamp as the msbl.exe file and looking in a text editor at the file contents. I have no idea of the origins of these two files, Google turned up a very few links with little to be gained from them.
    I eventually fixed it by deleting the files in safe mode command prompt and dumping the registry key again.

    Snippet of HijackThis log:

    F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\msbl.exe
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\msbl.exe

    Adaware, Spybot, AVG and Trend Micro's Housecall all missed this little horror.

    I'd be interested to hear if anybody else has seen this particular beastie before. Nothing else appeared to be affected, only IE6. Maybe this will save some of you some time, I certainly used enough of my time cleaning this box !
    Last edited by Jeff the Brit; August 4th, 2004 at 07:00 AM.
    I think I know just enough to know how much I don't know... I think...
    Reply With Quote Reply With Quote
  2. August 2nd, 2004, 02:47 AM #2
    InTheWayBoy
    InTheWayBoy is offline
    Registered User InTheWayBoy's Avatar
    Join Date
    Feb 2000
    Location
    Jacksonville, FL USA
    Posts
    435
    While that may be a new kind of spyware, the tactic of loading something else with the default shell in those ini files is an old virus trick...thought XP didn't use those anymore! Oh well, yet another place to look for crap again...thanks for the heads up!
    Reply With Quote Reply With Quote
  3. August 3rd, 2004, 10:54 PM #3
    dogwoodwind
    dogwoodwind is offline
    Registered User
    Join Date
    Aug 2004
    Posts
    1

    msbl.exe I have encountered it

    http://www.computing.net/windowsxp/w...um/110053.html
    Reply With Quote Reply With Quote
  4. August 3rd, 2004, 11:20 PM #4
    GrandDad
    GrandDad is offline
    Registered User GrandDad's Avatar
    Join Date
    Apr 2001
    Location
    Ft.Leonard Wood
    Posts
    2,112
    Quote Originally Posted by dogwoodwind
    http://www.computing.net/windowsxp/w...um/110053.html
    Welcome to WD dogwoodwind .

    Thanks for link

    So this could be a nasty Virus
    Reply With Quote Reply With Quote
  5. August 4th, 2004, 07:00 AM #5
    Jeff the Brit
    Jeff the Brit is offline
    Registered User
    Join Date
    Aug 2000
    Location
    Saltburn, Cleveland, United Kingdom
    Posts
    632
    Google's indexed this thread now. My work is done and the answers are there for all the world to see. I'd still like to know what the little beggar is and who is responsible for it though.
    A couple of Google links suggested it might be from 180 Solutions nCase, but that puts in a file named msbb.exe and is easily dealt with by Adaware or Spybot.
    Last edited by Jeff the Brit; August 4th, 2004 at 07:13 AM.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules