Followed Guidelines - Used Hijack Log Analyzers - Need Advice

I have been implementing the Major Geeks Posting Guidelines and I think I am ready for an expert to look at my HighjackThis log and give me advice.

I accidently downloaded what I think was some kind of “Browser Enhancement Adware” from a site called “AlwaysUpdatedNews.com/install” a couple of weeks ago. I do not think it successfully finished it’s installation as I recognized what I did and shutdown my internet connection and my PC. However, this “thing” rendered Windows Media Player inoperable. Every time I tried to start Media Player I got an install screen from “AlwaysUpdatedNews.com/install” to finish the install. If I checked active tasks, Media Player was not active. After several days of trying to catch this threat, I downloaded a new copy of Media Player 9 Series from Microsoft and since then Media Player has worked fine and I no longer get the install screen from “AlwaysUpdatedNews.com/install”. Now I am trying to ensure my PC is really clean, hence asking for your help.

Here is a list of the system and spyware tools I have downloaded, updated, or executed on-line.

1. Running Windows 98 SE with all critical Microsoft Security updates installed
2. Running Norton Internet Security and Antivirus 2004 with latest updates.
3. Downloaded and installed Ad-Aware SE
4. Downloaded and installed Ad-Aware VX2 Cleaner Plug-In
5. Downloaded and installed CCleaner
6. Downloaded and installed Spybot S&D
7. Downloaded and installed Spybot S&D DSO Exploit Fix
8. Downloaded, installed SpywareBlaster and Enabled All Protection
9. Downloaded McAfee AVERT Stinger
10. Downloaded and unzipped CWShredder
11. Downloaded and unzipped Kill2Me
12. Downloaded and unzipped about:Buster
13. Downloaded HSRemote
14. Ran On-Line: Trend Micro’s Free On-Line Virus Scan
15. Ran On-Line: Symantec Security Scan
16. Ran On-Line: PandaActiveScan
17. Downloaded and installed Highjackthis
18. Downloaded and installed WinPatrol

Steps executed in order today:

1. Started PC in normal mode
2. Enabled viewing of hidden files and folders and extensions
3. Downloaded and installed software as instructed
4. Did an on-line scan using Trend Micros free on-line virus scan – Housecall
Results: (a) No virus detected and, (b) no worm/Trojan horse detected
5. Did an on-line security check using Symantec’s Security Scan
Results: (a) Ran clean on 3/3/05 before installing Spyware recommended by Major Geeks. This was expected as I run Norton Internet Security and Antivirus 2004 and Internet security was active during the runs.
(b) Made four attempts today as part of this sequence and none completed. The Anti-virus check and Virus protection update ran fine and got green checks. The security check did not finish and gives the message “Following checks did not run due to an error on the server. Please try again later: (i) Hacker exposure (ii) Windows vulnerability, and (iii) Trojan Horse.” After the first attempt I thought SpywareBlaster might be interfering with the test, so I disabled all of it’s protection and reran the Symantec test. Same result. I think something may be wrong with the Symantec server or they are extremely busy today. Will try again to see if I can get a complete run.
6. Rebooted PC into safe mode
7. Ran McAfee AVERT Stinger
Results: 96229 clean files. No threats reported
8. Ran CCleaner
Results: A ton of old and new temporary files deleted. 256.4 MB. About 20,000 fewer files and objects now being scanned by the Spyware tool kit.
9. Ran Ad-Aware SE
Results: 92567 objects scanned, zero new critical objects, 18 negligible objects. 12 items quarantined from prior runs, more info available.
Question: I’m assuming when I downloaded and installed Ad-Aware VX2 Cleaner Plug-in that it was applied to my previously download of Ad-Aware SE. Is this correct, or did I need to do something more to get the Plug-in applied?
10. Ran Spybot S&D with Spybot DSO Exploit patch applied
Results: No immediate threats found.
11. Ran CXShredder
Results: All not present. Not infected, completely clean
12. Ran Kill2Me
Results: First message said: “System clean, want to continue?” I said yes. Second Message said: Look2Me infection is about to be removed. Your desktop and taskbar will disappear for a few seconds. Don’t be alarmed.” Third Message said: “Look2Me removed if it existed”.
13. Did not run about:Buster and HSRemove because I did not think they applied to me.
14. Ran Norton Antivirus 2004. Wasn’t on the list, but ran it anyway.
Results: 66899 files scanned, no threats found.
15. Rebooted system in normal mode
16. Ran Highjackthis and saved a log for when you want to see it.
17. Submitted the Highjackthis log to Highjackthis log Analyzer on the Major Geeks website.
Results: (i) Nasty - One item, 02 BHO :\windows\system\NZDD.DLL “Must be removed” (ii) Possibly Nasty six items (iii) Unknowns 5 items
18. Submitted the Highjackthis log to the Help2go Log Analyzer on the Major Geeks website.
Results: (i) Malicious two items: First same as the nasty one from Highjackthis log analyzer. Second one was 02 BHO No name – probable remnant of adware or spyware “Spybot\SDhelper”. (ii) 3 suggestions: first was “04 realsched.exe”, second was “04 AOL System Tray” - unnecessary, and last was 016 Browser address for real NW – unnecessary.

So, in summary all of the Spyware, Adware, virus scans etc. seem to be running clean on my PC. I had trouble getting the on-line Symantec Security Scan to run to completion today, but that may have been an anomaly. Previous runs of Ad-Aware SE, Spybot S&D, and Norton Antivirus found threats and removed them (more info available).

The only scanner I’ve run that consistently reports threats is PandaActiveScan. It reports two threats: (1) Spyware/Aveo-Attune, and (2) Adware/MediaTickets. I read the fix literature provided by Panda and by Symantec for removing these threats and the aliases listed and could not find any of: (a) the programs to remove with Add/Remove, (b) any of the registry entries to delete, or (c) any of the recommended files to delete. Since no other scans have identified these threats I’ve concluded that PandaActiveScan may be seeing some remnant of another products fix for these threats, possibly from Norton as I’ve run that product for about 6 years. Any advice on this?

So now I’d like to submit the Highjackthis log I saved and have you analyze it and provide your recommendations for corrective action. Note the Log scans on your website indicates I have at least one NASTY/MALICIOUS threat I need to deal with. I’d like you to verify this and if it needs to be deleted, please give me fairly explicit instructions on how to remove as “Geek in Training” here, not an expert. Plus, where the heck is it coming from?

Thanks for the help.

 

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an ATTACHMENT.
All instructions are covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting


Now post a Hijack This log as an ATTACHMENT to your message (Do NOT copy/paste the log into your post). Please close unnecessary running programs before you run HijackThis. You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc.

DO NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

bjgarrick,

Yes, I have HighjackThis 1.99.1. My log should be attached.

Thanks again for the prompt response and help.

 

Do another scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/gw/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

F1 - win.ini: run=hpfsched

O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
Note: This entry above, just reinstall Spybot S&D to fix this. Fix it with HJT anyway.

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab


Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:

Navigate to and delete the following file:

C:\WINDOWS\SYSTEM\NZDD.DLL
Note: If you have any problems removing this, boot into safe mode and delete it.


NEXT:
Run CCleaner


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.



FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


Are you currently experiencing any problems?

 

bjgarrick,

As far as I know I am not experiencing any problems.

I do have an anomoly with Norton that it gives me a message at every startup saying I must download the latest Redirector patches or I will not get the latest detection signatures. However when I click on the link to download the upgrades, there usually aren't any. Autodownload seems to be working. Had this problem before and it went away. Now it's back, don't know what it means. So, I think I am getting the latest updates, but some Norton task has a flag set wrong or something. Sent a problem email to Symantec, but got gibberish back.

I am not currently noticing any other strange things happening on my PC.

I will review your action list and practice before I actually pull the trigger. Dry throat, moist hands here, never used Hijackthis to fix problems before. I will let you know of any questions before I start. Got a commitment for tonight so have to go. Will try to implement fixes in the morning. The items you flagged are ones that caught my eye also, just unsure what they were or what to do with them.

Thanks again. I'll be in touch.

 

Let me know how it goes!

 

bjgarrick,

I implemented your instructions this morning and the Highjackthis log entries and file C:\WINDOWS\SYSTEM\NZDD.DLL appear to be gone from my system.

Here are some notes about the Fix process:

1. When I clicked on Fix in Highjackthis I did not get any indication when the fix process was complete. I was expecting some kind of message to let me know when Highjackthis was complete. Waited about 20 minutes looking at a blank log screen, then did another Scan and the checked entries were gone. So, I assumed Highjackthis had completed the fix.

2. Wasn't able to delete NZDD.DLL in normal mode. Got the message "Cannot delete NZDD.DLL. The specified file is being used by Windows". Rebooted in Safe mode and was able to delete it.

3. When I went in to IE to reset web settings I found the "Delete Cookies" and "Delete Files" buttons, but I did not see a "Delete all Offline content" button. So, did I miss something or does Windows 98SE not have this button?

All else went fine, and I'm assuming the objects deleted are gone.

Some Questions:

1. Now, what do you recommend as a preventative maintenance process going forward to ensure these objects or any other harmful objects don't get back in my system?

2. Assuming my Spyware scans continue to run clean, what's your opinion of how safe my PC is? I have not accessed any financial sites, for example, since I suspected I had a problem.

3. I know some of the items I deleted were probably cleanup in nature, but the 02 - BHO NZDD.DLL, 016 - DPF IPIX ActiveX Control, and file NZDD.DLL looked like threats. Any comments on what the "bad" stuff was that I deleted and what it might have been doing?


You asked if I have been having any problems in an earlier post. Here's some things I've noticed, but they don't act like Virus/Spyware/Adware issues to me.

1. Mentioned the error message from Symantec about needing Redirecor patches in order to get latest Signature Identifiers. Think this is an erroneous message, but bothersome, as I seem to be getting all updates o.k. Had this before and a Symantec tech told me to uninstall, reinstall my Norton products. Didn't do that. Error message went away for a few months, now it's back.

2. I am not able to get updates for Ad-Aware SE and SpywareBlaster. When I click on Download latest updates, I get error messages back from the sites saying can't download. SpywareBlaster message said my Internet Security software might be preventing the download of updates. Any Advice?

3. Tried to Uninstall Netscape 6.0 a couple of days ago in effort to get rid of stuff I never use. Uninstall failed, hung up. Any possibility that the objects you had me delete were interfering/blocking this Uninstall process? I am not sure that Netscape installed itself properly when I downlaoded it several years ago, never got it to work.

4. I had a problem related to Screen Saver, I think. When Screensaver was running, I'd wiggle my mouse to restore my Desktop, but the Screen Saver program name tab on my Task Bar stayed there. Then if Screen Saver ran a second time and I restored Desktop, I'd still have a "Screen Saver" program tab and a "blank" program tab on my task bar. When I clicked on them they would go away. After the many runs I've made with Spyware scans the last several days, this glitch seems to have gone away.

My only other problem is a sticky space bar that Gateway says I need to buy a new keyboard to fix for $115.

Summary: Your responsiveness has been terrific. I stumbled around for several days submitting problems to vendors and other web sites that work on these problems before I found Geeks.com. I still haven't heard back or gotten any useful information from any of the other people I tried to contact.

Thanks a bunch for the help.

 

Your Welcome Jabinjax!

Now, the problems you listed in your previous post. I would post each one of these in the Software Forum so that they can be concentrated on. I will assure you, no post will go unread. Pretty much all post in MG's will be read and responded to.

About the questions you had.

This article will take care of this question.

How to Protect yourself from malware!

If you scans come up clean, then I wouldnt worry. As long as you have updated AntiVirus protection, updated Firewall, and all you windows updates you will be fine!

These are known as BHO's (Browser Helper Objects). What they do is monitor the websites you visit and report this data back to their creators. However, some BHOs are not necessarily bad things, and most of them are well-intentioned and beneficial. Some however are not, just got to know which is bad and which are good.