Search Assistant - My Search (can't remove. HELP!)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by CaptainHawk, Jul 2, 2004.

  1. CaptainHawk

    CaptainHawk Private E-2

    In my Add/Remove programs list, I have this program "Search Assitant - My Search" which must be add, or spyware, because it won't remove. I've tried both Ad Aware, and Spybot, with the plug in, and folled all instructions. It' still there, and when I try to remove it, I get a blank pop-up page with a vague path string at the top.

    I've tried safe mode, I've scanned, I've taken off and put back on MSN 9, so I'm here because I've reached a point where I don't know what to do.

    In addition, whether it's related or not, I CAN get onto the internet (dialup), but my MSN9 won't let my email files download and I get an Error Reporting.

    Chances are, I've got a variant of a Hijacker, and I'm hoping it's connected to that "Search Assistant" program so that when I finally get rid of it, life will be back to normal.

    Please instruct me as what action to take and I will do it. If there is a former string about this specific problem I can refer to, I'd be o.k. with that as long as it works. This is my fourth day of sitting in front of this computer, and my wife's about to leave me...
    THANKS!!!
    Hawk
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  3. CaptainHawk

    CaptainHawk Private E-2

    Ok, loaded and used Hijaak... went through the codes and deleted what, according to the guide, was bad.

    This is what I was left with:



    Running processes: (sorry if it's double spaced)

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    C:\WINDOWS\system32\ntvdm.exe

    C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe

    C:\WINDOWS\System32\hkcmd.exe

    C:\WINDOWS\BCMSMMSG.exe

    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

    C:\Program Files\Digital Line Detect\DLG.exe

    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

    C:\Program Files\MSN\MSNCoreFiles\msn.exe

    C:\Program Files\MSN\MSNIA\msniasvc.exe

    C:\Program Files\MSN\MSNIA\WA\ClientSideProxy.exe

    C:\Program Files\MSN Messenger\msnmsgr.exe

    C:\Program Files\MSN\MSNCoreFiles\dw15.exe

    C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe

    C:\Documents and Settings\Brant\My Documents\HijackThis\HijackThis.exe

    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll

    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe

    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe

    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

    O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe

    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe

    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

    O4 - HKLM\..\Run: [Updater] "C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe"

    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

    O4 - HKCU\..\Run: [ModemOnHold] C:\PROGRA~1\DELLMO~1\moh.exe

    O4 - Global Startup: Digital Line Detect.lnk = ?

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

    O8 - Extra context menu item: View Original Image - C:\program files\msn\msnia\wa\getoriginal.htm

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab

    O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB

    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

    O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab

    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab

    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E50D221-6B07-469B-8E7A-2CDE94072763}: NameServer = 205.171.3.65 205.171.2.65

    O17 - HKLM\System\CS1\Services\Tcpip\..\{2E50D221-6B07-469B-8E7A-2CDE94072763}: NameServer = 205.171.3.65 205.171.2.65

    O18 - Filter: text/html - {D1F6DEF1-5B1C-43F5-94DC-CE239F06469B} - C:\WINDOWS\System32\phbbc.dll

    O18 - Filter: text/plain - {D1F6DEF1-5B1C-43F5-94DC-CE239F06469B} - C:\WINDOWS\System32\phbbc.dll



     
  4. CaptainHawk

    CaptainHawk Private E-2

    Some other notes too:
    I have the about:blank in my Internet Explorer too.
    I don't seem to have the same "home search assistant" extensions. Can't find anything like that.

    After I restarted, I logged into MSN9, and the same problem is present where I get a freeze on email files are downloading and then a Error Message with "fdr###.fdr, of which the path is in LOCAL~ etc...

    Does this look familiar? What else do I need to post here to diagnose what I have?

    Thanks much!

    Hawk
     
  5. CaptainHawk

    CaptainHawk Private E-2

    Here is a log of after I cleaned everything out, restarted, ran some scans, and checked it again.
    Please let me know if you see anything to deal with.
    THANKS!
    Hawk
    Logfile of HijackThis v1.98.0

    Scan saved at 9:50:45 PM, on 7/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe

    C:\WINDOWS\System32\hkcmd.exe

    C:\WINDOWS\BCMSMMSG.exe

    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

    C:\Program Files\Digital Line Detect\DLG.exe

    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

    C:\Program Files\MSN Messenger\msnmsgr.exe

    C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe

    C:\Documents and Settings\Brant\My Documents\HijackThis\HijackThis.exe

    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01

    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0000.2693\en-xu\stmain.dll (disabled by BHODemon)

    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll

    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe

    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe

    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

    O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe

    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe

    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

    O4 - HKLM\..\Run: [Updater] "C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe"

    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

    O4 - HKCU\..\Run: [ModemOnHold] C:\PROGRA~1\DELLMO~1\moh.exe

    O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2.0\BHODemon.exe

    O4 - Global Startup: Digital Line Detect.lnk = ?

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

    O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB

    O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab

    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab

    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E50D221-6B07-469B-8E7A-2CDE94072763}: NameServer = 205.171.3.65 205.171.2.65

    O17 - HKLM\System\CS1\Services\Tcpip\..\{2E50D221-6B07-469B-8E7A-2CDE94072763}: NameServer = 205.171.3.65 205.171.2.65

    O18 - Filter: text/plain - {D1F6DEF1-5B1C-43F5-94DC-CE239F06469B} - C:\WINDOWS\System32\phbbc.dll



     
  6. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Remove:

    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0000.2693\en-xu\stmain.dll (disabled by BHODemon)

    I am not sure about:

    O18 - Filter: text/plain - {D1F6DEF1-5B1C-43F5-94DC-CE239F06469B} - C:\WINDOWS\System32\phbbc.dll

    Are you having any other problems because it looks pretty decent.
     
  7. CaptainHawk

    CaptainHawk Private E-2

    I wasn't sure about the Filter... But yeah, I'm having the same problems even with what I last posted.
    I DID go in and disable the BHO you mentioned with BHODemon. No change.
    I'll try fixing the filter and see what happens.
    Seems like there's something that is replicating from a hidden place. Sound familiar?
    Thanks
    Hawk
     
  8. CaptainHawk

    CaptainHawk Private E-2

    As you can see, some things come back as soon as I get back on line:

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe
    C:\Program Files\MSN\MSNIA\msniasvc.exe
    C:\Program Files\MSN\MSNCoreFiles\msn.exe
    C:\Program Files\MSN\MSNIA\WA\ClientSideProxy.exe
    C:\Program Files\MSN\MSNCoreFiles\dw15.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Brant\My Documents\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Brant\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Brant\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Brant\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Brant\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Brant\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Brant\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
    O2 - BHO: (no name) - {7B5C2B24-6645-486E-BFBA-3B3E450035DA} - C:\WINDOWS\System32\pdken.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0000.2693\en-xu\stmain.dll (disabled by BHODemon)
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Updater] "C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe"
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [ModemOnHold] C:\PROGRA~1\DELLMO~1\moh.exe
    O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2.0\BHODemon.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: View Original Image - C:\program files\msn\msnia\wa\getoriginal.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
    O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E50D221-6B07-469B-8E7A-2CDE94072763}: NameServer = 205.171.3.65 205.171.2.65
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2E50D221-6B07-469B-8E7A-2CDE94072763}: NameServer = 205.171.3.65 205.171.2.65
    O18 - Filter: text/html - {408E1220-2DB3-4C73-A21F-A194BCFC3988} - C:\WINDOWS\System32\pdken.dll
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yeah but this time you can see the problem (about:blank). The next line is the problem and it also appears in the O18 key.

    O2 - BHO: (no name) - {7B5C2B24-6645-486E-BFBA-3B3E450035DA} - C:\WINDOWS\System32\pdken.dll

    Don't do anymore editing yet until I get back to you. You will just make it worse. I have a procedure for you to try. It would be best if you do not power down or reboot your computer until we do this fix. These problems have an annoying capability of changing filenames upon reboots. If you have already rebooted, post another HijaakThis log so I can check to see if it has changed. And then do not reboot. It is okay to disconnect your PC from the internet. Just don't reboot.
     
  10. CaptainHawk

    CaptainHawk Private E-2

    OK, yeah, I did reboot because I went out of town for the night... sorry...
    Below is another log.
    Thanks for your help. Truly appreciated! Let me know about that procedure.

    Also, I think I screwed up my task bar hider. Is that a BHO? If so, I can reactivate it from there.

    Thanks,
    Hawk


    Logfile of HijackThis v1.98.0
    Scan saved at 2:45:57 PM, on 7/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\MSN\MSNCoreFiles\msn.exe
    C:\Program Files\MSN\MSNIA\msniasvc.exe
    C:\Program Files\MSN\MSNIA\WA\ClientSideProxy.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MSN\MSNCoreFiles\dw15.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Brant\My Documents\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Brant\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Brant\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Brant\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Brant\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Brant\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Brant\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
    O2 - BHO: (no name) - {67A42972-CD4C-4D64-A7E2-D8F98DFCB9AC} - C:\WINDOWS\System32\nocdc.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0000.2693\en-xu\stmain.dll (disabled by BHODemon)
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Updater] "C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe"
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [ModemOnHold] C:\PROGRA~1\DELLMO~1\moh.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: View Original Image - C:\program files\msn\msnia\wa\getoriginal.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
    O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E50D221-6B07-469B-8E7A-2CDE94072763}: NameServer = 205.171.3.65 205.171.2.65
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2E50D221-6B07-469B-8E7A-2CDE94072763}: NameServer = 205.171.3.65 205.171.2.65
    O18 - Filter: text/html - {C74D92A4-35BB-4D77-9CA1-4CB4C3160A23} - C:\WINDOWS\System32\nocdc.dll
    O18 - Filter: text/plain - {C74D92A4-35BB-4D77-9CA1-4CB4C3160A23} - C:\WINDOWS\System32\nocdc.dll
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You may want to print these instructions because I'm going to have you disconnect from the Internet at a particular point.

    1) Make sure you have downloaded, installed, and updated Ad-aware to the current reference lists. But do not run it yet!

    2) Please download this tool called about:buster from: http://tools.zerosrealm.com/AboutBuster.zip
    Unzip it to your desktop but do not run yet.

    3) This step is very important! Disconnect from the Internet completely (i.e., drop analog modem connections, unplugged ethernet cables,...etc).

    4) Make sure at this point all Internet Explorer and Win Explorer sessions are shutdown. Do not open them again until instructed to.

    5) Now start Hijack this and have it fix ONLY the following lines:

    O2 - BHO: (no name) - {67A42972-CD4C-4D64-A7E2-D8F98DFCB9AC} - C:\WINDOWS\System32\nocdc.dll
    O18 - Filter: text/html - {C74D92A4-35BB-4D77-9CA1-4CB4C3160A23} - C:\WINDOWS\System32\nocdc.dll
    O18 - Filter: text/plain - {C74D92A4-35BB-4D77-9CA1-4CB4C3160A23} - C:\WINDOWS\System32\nocdc.dll

    Exit HijaakThis.

    6) Run about:buster and click start. Be patient, it takes awhile for this to go through all the files it has to look at. The faster your PC, the faster it gets done.


    7) Run HijaakThis again and fix the following:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Brant\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Brant\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Brant\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Brant\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Brant\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Brant\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank


    8) Run a full scan with Ad-aware. Since I have you disconnected from the Internet, the following instructions explain how to set Ad-aware's settings to perform a "Full Scan."


    In Ad-aware click the Gear to go to the Settings area. The following items should be on a green check, not on a red X.

    Under the Scanning button:

    - Scan within archives
    - Under Memory & Registry, Check EVERYTHING
    - In Check Drives & Folders, make sure all of your hard drives are selected


    Under the Advanced button, check ALL under Log detail level (this makes it easier for visitors to the Lavasoft Support Forums to see what options you have selected should you require assistance.)


    Under the Tweak button...

    Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.


    In Scanning Engine:

    - Unload recognized processes during scanning
    - Include info about ignored objects in logfile, if detected in scan
    - Include basic Ad-aware settings in logfile
    - Include additional Ad-aware settings in logfile
    - Include used command line parameters in logfile


    In Cleaning Engine:

    - XP/2000: Allow unloading explorer to unload shell extensions prior to deletion
    - Let Windows remove files in use at next reboot
    - UNCHECK: Automatically try to unregister objects prior to deletion

    Click Proceed to save these settings. When you would like to perform a "Full Scan," switch the scan mode from SmartScan to Custom.

    9) Restart your computer.

    10) Search your PC for the nocdc.dll file mentioned in step 5. Use the following method so that the search includes hidden file:
    Click Search and the Select "All files and folders"
    Enter the filename in the "All or part of the file name:" box, so enter nocdc.dll
    Now select "More advanced options"
    Make sure the following check boxes are checked:
    - Search system folders
    - Search hidden files and folders
    - Search subfolders

    Then click the Search button.

    If you find the file, delete all occurrences of it. If the above procedure has not yet delete the file, we would expect it to be in C:\WINDOWS\System32

    11) Reconnect to the internet now.

    12) Post a new HijaakThis log and let me know how things are working.
     
    Last edited: Jul 4, 2004
  12. CaptainHawk

    CaptainHawk Private E-2

    OK, I've done the exercise you proscribed to a "T". So far, so good. But I haven't clicked on my email Icon on my MSN9 browser yet, because I'm afraid the error message is going to pop up -- and just as I type this, it did pop up. :rolleyes:
    So, what does this mean? Do I have to remove and reinstall MSN9 again?

    Here's the last log per your instructions. I'll check it again, run another Hijaak, when I close off-line.

    There were no results when I searched the computer for nocdc.dll.

    Thanks!
    Hawk
    Logfile of HijackThis v1.98.0
    Scan saved at 11:59:43 PM, on 7/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Brant\My Documents\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0000.2693\en-xu\stmain.dll (disabled by BHODemon)
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Updater] "C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe"
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [ModemOnHold] C:\PROGRA~1\DELLMO~1\moh.exe
    O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2.0\BHODemon.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
    O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There is a line in your HijaakThis log that is disabled by BHO Demon:
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0000.2693\en-xu\stmain.dll (disabled by BHODemon)

    Perhaps this is the problem with MSN. See if you can stop BHO Demon from disabling it.
     
  14. CaptainHawk

    CaptainHawk Private E-2

    I re-enabled it, and nothing changed. I even checked the log to see if there was anything different, but not so far. Almost as if the problem is somewhere so deep we can't get to it.
    A couple days ago, when I called microsoft tech support, they said my msn software was corrupted and they had me remove and reinstall it, but at that time, I still had the stuff in there tainting it.
    Do you think, even after cleaning out the problem, that the software would go back to behaving normally (e.g. msn9 successfully downloading email files and displaying new and current message list on screen). Or, should I remove and reinstall it.
    I'm still checking other programs too.
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Does your HijaakThis log still show the BHO disabled? If so, you may need to reboot after telling BHO Demon not to disable it.

    If that does not work I would then say, since there is no way of knowing what happen while the hijacker was causing problems, uninstalling MSN and reinstalling may be the only option to see if you can correct it.
     
  16. CaptainHawk

    CaptainHawk Private E-2

    Just wanted to add, that there are two main problems which, I'm assuming (and maybe I shouldn't) are related.

    The first is the error reporting message I get when I connect to the internet, which seems to come from my email not being able to load. In the error report, the path it gives is:
    C:DOCUME~1\BRANT\LOCALS~1\Temp\fdr3380.fdr
    I've tried deleting these in the past, and they just come back with a different number between fdr's.

    The Second problem I'm facing, which I never had until now, was when I run ProTools, my CPU usage fluxuates between 60 and 100%, and when I'm trying to use the "bounce" option to convert a session to a single audio file, it quits.
    It could be coicindence that this problems is occuring in the midst of the spyware issue. Perhaps I need to do a disk defragment. But it seems like there is something running in the background, not showing up on Task Manager as itself, but including it's own usage under ProTools.

    Am I making any sense? I'm going to defragment, and see what happens. Any input would be appreciated.

    Thanks much!

    Hawk
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I don't know what that fdr3380.fdr file is but it is in a temp directory which seems rather suspcious. Have you tried running CrapCleaner yet (I forget if I suggested that yet. I working on lots of problems simultaneously...bear with me.)


    One more item to try that could help us is: Security Task Manager. Download it from http://www.neuber.com/taskmanager/download.html
    Check it out. Maybe we can find some process running that are suspicious. This is 30 day trial software use it quickly.
     
  18. CaptainHawk

    CaptainHawk Private E-2

    Downloaded Ccleaner, ran it just on the system, and it came up with a ton of stuff. I'll do more later.
    I've been working on cutting an ablum for five months, and don't want to take a chance on loosing anything regarding that, so I'll do more cautiously later.

    Downloading the Taskmanger now.

    Get back to you tomorrow. G'night.

    Hawk
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I thought you were checking out for the night. I still see you. I gotta get some sleep too.

    Talk to you later.
     
  20. CaptainHawk

    CaptainHawk Private E-2

    This is getting weird.
    Now, when I try to go into my MSN9 mail, I get a message that says "does not recognize this file ext.: msn9.mailhost"
    Did I delete something I shouldn't have last night?
    Every time I click on the mail envelope, a different name of msn comes up like
    MSN6... MSN7... MSNB....

    I also adjusted the processor Scheduling perfomance according to my ProTools trouble shooting guide. At this point I more concerned with getting the ProTools running correctly. I have a couple other things I can do from the trouble shooting guide, but I wanted to see if you have any other further info first.

    Thanks,
    Hawk
     
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm at a loss on this MSN issue you are having. Did you uninstall it and then try reinstalling? The only other thing I could suggest is possibly starting a new thread in the Software Forum with all the details of your problem (make sure you indicate that it all started after remving spyware problems). But I would guess the answer may be the same uninstall/reinstall.
     
  22. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    I am anticipating a couple minor software glitches with HSRemove. Simply put, its a one man band who put it together and he can not test everyones software. You could try and contact him and ask about it, but as Chaslang said, a reinstall will probably fix it.
     
  23. CaptainHawk

    CaptainHawk Private E-2

    Well guys,
    I wish I could say everything is back to normal, however, it's not.

    Thanks for your time and help. I believe we got the spyware off. I don't know if I have some sort of virus or what, but when I watch the running tasks, the msmsgs.exe will spike up to around 100% every 30 seconds to a minute.
    I tried starting with all services off, and I was finally able to bounce a session file into an audio file from ProTools without it stopping on me. So, whatever is causing the CPU spiking runs in the services, and not in the system (as far as I can tell).

    I've taken off MSN9, and all browsers and reinstalled, and I still get that d@mned error message: "fdr####.fdr"

    For some reason, I've lost "notepad" and "mediaplayer", and my Musicmatch isn't working either. I probably deleted the drivers by accident in the CCleaner tool.
    I'm getting the feeling that this computer is pretty close to junk now. So, being a poor musician, I don't know what I'm going to do. But, man o man, I feel really bummed.

    Something evil is lurking deep down in my computer, and I can't figure out what it is.
    I may post to the hardware/software boards, but I don't think anyone's going to be able to help me. Rats.

    Thanks for your help. At least we tried.

    Hawk
     
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Check to see if a Windows service name "Network Security Service" is running. To do this, click Start, Run, and enter the following in the Open box: "services.msc" (without the quotes). Then click OK. Now in the Services window that pops up look for Network Security Service. If you find that service, right click on it and select Properties. Tell me what you see (exactly) in the "Path to executable" box.

    I don't think CCleaner should have any impact on the programs you are saying you can no longer run. It primarily cleans up temp folders and temporary files and other un-necessary junk. Unless you started playing with the Issues button (Registry and Files integrity) but even that should not be a problem. And it does have a restore capability if you did make changes in the registry area (as long as you did the backup).

    For your MSN error message, post the exact complete message that it gives including the file name.
     
    Last edited: Jul 5, 2004
  25. CaptainHawk

    CaptainHawk Private E-2

    Howdy!

    I'm back. I was off line for a couple days as I removed all the msn stuff, and got an AOL disc in the mail, so I'm trying that now.

    Updates: I finally got my ProTools program to work. After uninstallin all MSN software, and then turning off all my Norton/Symantech services in the msconfig way, the spiking stopped. So, as far at that goes, could it have been something in the Norton maybe scanning the system and causing occasional spikes in CPU usage?

    Also, when I did another Ad Aware scan, it came up with cool/web search... I think THIS has been the spyware problem, because I had about:blank again too. I followed your previous procedure, but not in the exact same way, I just scanned with ad-aware and then did a Hijaak. The Ad-aware came up with a few cool/websearch things...

    Also, per your last message, I went into the services, and I don't have the exact wording on my security service. Mine says something like NT security blah blah... But I went in there and found this in the field: C:\WINDOWS\System32\lsass.exe .
    Is this the sasser worm, or just something else?

    I'll be on and off today, so hopefully I'll hear from you. Thanks!

    Hawk (Brant)
     
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The Security Service you found with lsass.exe is okay. That is not what I was looking for. And you are the second person confirming my belief that Network Security Serivce (NSS) is not used in the About:Blank problems.

    Were you able to clean up your CWS issues?
     
  27. CaptainHawk

    CaptainHawk Private E-2

    Hi,

    So far, I've had none of the annoying CWS issues that I was having before. I had one trojan attack but my Norton caught it and deleted it. I had those pop-ups until I restared and cleaned it out with Hijaak, and Ad-aware. I haven't had anything since.

    Question: Are there triggers for something that's already embedded on your computer that lets it back in or something???

    Anyway, looks like the only problem I'm having now is with my NortonAV... I made the mistake of upgrading to a newer base version. It's so cumbersome now that it interfiers with my ProTools, even after I disable it. What I have to do is go in through msconfig, and turn all those services off. It's kind of a pain, but what else can I do?

    Yeah, I didn't see anything about security in what you had me go to. Does the about:blank turn it off or something? Or delete it? Hmmm.

    Thanks for all your gracious help.

    Brant
     
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You may want to consider dumping the Norton stuff. It is a huge resource hog which appears to be a problem for you anyway. There are several free very good AV programs available here on MG's.

    As to your question: If you don't clean up everything that these new hijackers put on your system, they find ways to respawn themselves. You also need make sure you have clean out old system restore points that could have this crap save in them. Otherwise if your system ever does a restore, you can bring it all back.

    Forget about the NSS item. About:blank does not turn it off. It is part of the problem when you have the HomeSearchAssistent hijack not the About:blank hijack.
     
  29. CaptainHawk

    CaptainHawk Private E-2

    I keep system restore off. That may seem dangerous, but I'd rather deal with one problem at a time.

    As far as HSA and about:blank, I think my system is MOSTLY clean. The only thing I haven't done is a system search with the newest extension. But I will today, just to be safe.

    I'd feel really weird taking off Norton... I just spent fifty buck upgrading it... (in desperation). I'll try it for a bit longer, but if it doesn't work, if you wouldn't mind giving me a couple names of free ones that work well (if you're confident they are update-able, and that no hacker is going to break into the MGs security walls to tamper with stuff) that'd be cool.

    Cheers,
    Brant
     
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I didn't say leave System Restore off. I said remove all check points. You do that by disabling then rebooting. Now enable system restore again and reboot again. Now if your PC is in good working order with none of this malware on it, manually create a new checkpoint.

    What do you mean by "The only thing I haven't done is a system search with the newest extension"

    Here are a couple good free virus scanners:

    Anti Virus
    http://majorgeeks.com/download1968.html Avast
    http://majorgeeks.com/download886.html AVG
     
  31. CaptainHawk

    CaptainHawk Private E-2

    All right, gotcha! I'll follow that for system restore.

    What I meant was that I didn't do a "Search" for the latest about:blank ****.dll (driver thingy)

    But I've done it since then.

    HOWEVER, after I seem to get my system clean, occasionally when I go online I get the about:blank stuff again. This is where I'm getting confused. Shouldn't it be more difficult for me to get that about:blank...? Or is it that I'm not getting it all completely off my system?
    Brant
     
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It can come back for a number of reasons:
    - the fix was not complete
    - you go back to where ever you picked it up the first time and
    - you have not taken the proper courses of action to keep your PC protected.

    Please post a current HijackThis log.
     
  33. CaptainHawk

    CaptainHawk Private E-2

    As requested:
    (didn't single space for some reason... usual does automatically)
    Logfile of HijackThis v1.98.0

    Scan saved at 10:38:26 AM, on 7/15/2004

    Platform: Windows XP SP1 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    C:\WINDOWS\wanmpsvc.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe

    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

    C:\WINDOWS\System32\hkcmd.exe

    C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    C:\WINDOWS\BCMSMMSG.exe

    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

    C:\Program Files\Real\RealPlayer\RealPlay.exe

    C:\Program Files\QuickTime\qttask.exe

    C:\Program Files\America Online 9.0\aoltray.exe

    C:\Program Files\Digital Line Detect\DLG.exe

    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

    C:\Program Files\America Online 9.0\waol.exe

    C:\Program Files\America Online 9.0\shellmon.exe

    C:\Documents and Settings\Brant\My Documents\HijackThis\HijackThis.exe

    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

    O4 - HKLM\..\Run: [Updater] "C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe"

    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe

    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe

    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

    O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe

    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

    O4 - HKCU\..\Run: [Microsoft Works Update Detection] ?%??\WkDetect.exe

    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

    O4 - Global Startup: Digital Line Detect.lnk = ?

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

    O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB

    O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab

    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab

    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E50D221-6B07-469B-8E7A-2CDE94072763}: NameServer = 205.188.146.146

    O17 - HKLM\System\CS1\Services\Tcpip\..\{2E50D221-6B07-469B-8E7A-2CDE94072763}: NameServer = 205.188.146.146



     
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I do not see any indications of the HSA hijacker in your log. It does, however, look like Messenger has lost some files (you may need to reinstall if you use it):
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds