Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

"Home Search Assistent" - very nasty variant


  • Please log in to reply

#1
CMTaylor

CMTaylor

    Member

  • Member
  • PipPip
  • 10 posts
On 4-May-05, after 2pm, my wife was doing a Google search for medical information. One of the links she followed went somewhere that was obviously not what it said it was... maybe an on-line pharmacy site. Something about it made her suspicious so she closed Internet Explorer. She may have done Outlook mail reading next. Next time she opened Internet Explorer it had the "about:blank" homepage instead of her usual Google search page. She immediately ran our Microsoft Antispyware scan. It found "a few things" asked her if she wanted to remove them, she said "yes".

As an aside, we had Microsoft Antispyware installed for a week or two but had turned off its real-time Internet Explorer monitoring because of its annoying habit of warning us about the home page changing every time we switched users (I have a different home page in my account from my wife's). Bad decision in hindsight...

She may have mentioned the Antispyware scan to me that evening, but I thought it was a good thing. Thursday morning, 5-May-05, she used Internet Explorer again and it still had the "about:blank" homepage. She tried several more Microsoft Antispyware scans, finding and removing "3 things" every time.

On the weekend of 7-May-05 I got serious about this threat and tried various techniques to remove it. Symantec had a page about removal of this type of spyware and I followed some of its suggestions for removal of registry items. I also used "Sysinternals Process Explorer" to find and try to kill the offensive process. It kept restarting itself with a new "morphed" name. I found and manually removed these executables several times with several different morphed names. They were always 0K, 12K or 33K in size. I have a collection of these files (well hidden) if they would be of use to you.

In addition to the "about:blank" homepage I noticed several other symptoms:
- My Symantec AntiVirus real-time scan was disabled and refused to allow me to re-anable it
- My Symantec Firewall was disabled and refused to allow me to re-enable it
- Any attempts in Internet Explorer to go to anti-spyware websites found in Google were blocked


I forget now exactly what I did when... but we started using the system only in Safe Mode, where the problems mostly went away. I also installed and started using FireFox instead of Internet Explorer. We were away for a week with the PC turned off.

Last weekend, 22-May-05, I made another series of efforts to fix this problem. Using my work laptop I read various Anti-Spyware software reviews and then purchased the "Aluria Security Center". I ran it, it found several things, claimed to remove them, but the "about:blank" problem always returned. I also tried a few free tools including CWShredder, Spysubtract and XoftSpy. Each of them claimed to find and do some removal, but none of them removed the main problem.

Yesterday, 25-May-05, I discussed the problem with 3 IT guys at work. They advised me to do the following (which I did, all in Safe Mode):

1) Use Add/Remove Programs to remove anything "suspicious"
- when doing so I found "Home Search Assistent". Attempted removal invoked FireFox and tried, unsuccessfully, to go to "www.looking-for.cc". It did not remove the software.

2) Run MSCONFIG and disable anything I considered unnecessary
- I disabled "PS2" 'cause I'd mistakenly removed it in step 1 (its an HP Kbd driver but I don't use the special HP keyboard, I use a Microsoft Natural)
- I disabled "C:\WINDOWS\System32\mspa32.exe" 'cause it looked like one of the morphed spyware programs
- I disabled "Updates from HP" 'cause its always bugged me

3) Install and run SpyBotSD and Ad-Aware
- These found various problems and claimed to fix them. I have logs and screen shots. The basic "about:blank" problem always returned.

Then I found your website while searching on my work laptop for "Home Search Assistent" removal assistance. I read this page: http://www.geekstogo...Wiz-t27407.html
and followed its instructions to the point of HijackThis. I realized at that point that my HijackThis log didn't match the one being discussed. Continued...
  • 0

Advertisements


#2
CMTaylor

CMTaylor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
... continuing...

So I registered on your site and followed all the "Do this before you post" instructions. Here's exactly what I did:
1) CleanUp! (in Safe Mode)
2) Ad-Aware SE (in Safe Mode) have the logs if you want them
3) CWShredder (in Safe Mode) "5 explorer pages restored", no other fixes
4) Spybot S&D (in Safe Mode) only found "CDilla" and "BackWeb Lite". Left alone.
5) Ewido (in Safe Mode) 97 files found, mostly cookies, have report.
6) Couldn't get Trend Housecall to work in FireFox, not going to use Internet Explorer
7) Skipped other virus scanning suggestions but browsed around my filesystem and manually removed two empty directories: C:\system.sav and C:\Config.msi. They haven't come back and may have been "innocent".
8) Windows Update to SP1a (in Safe Mode with Networking)
9) Rebooted to normal mode, re-enabled the 3 items in MSCONFIG, as per your instructions.
10) Rebooted to normal mode and took a HijackThis dump. See below:

Logfile of HijackThis v1.99.1
Scan saved at 7:51:40 AM, on 26-May-05
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALURIA~2\asKernel.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Martin\My Documents\Downloads\Software\Anti-Spyware\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.r3.attbi.com;;localhost;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {03986A99-8487-BF06-A53A-7D6D4ED76483} - C:\WINDOWS\netdi32.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mspa32.exe] C:\WINDOWS\system32\mspa32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\PROGRA~1\ALURIA~2\ascserv.exe
O23 - Service: asKernel - Unknown owner - C:\PROGRA~1\ALURIA~2\asKernel.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Sorry if I've overwhelmed you with detail but I thought it might help and I really need help getting this very nasty spyware off my system... thanks in advance!
  • 0

#3
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts
Excellent job sofar. :tazz:

Download and run About:Buster from:
http://www.majorgeek...wnload4289.html
It usually takes two runs to get cleaned.

Then run CWShredder again. Use the Fix button.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {03986A99-8487-BF06-A53A-7D6D4ED76483} - C:\WINDOWS\netdi32.dll (file missing)

O4 - HKLM\..\Run: [mspa32.exe] C:\WINDOWS\system32\mspa32.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present <= Unless you are using that to prevent other users from changing your settings

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

Then copy the part in bold below into notepad and save it as CWSuni.reg

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY___NS_SERVICE_3]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\__NS_Service_3]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_SERVICE_3]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


Doubleclick that file and confirm you want to merge it with the registry.

Then reboot and post a new HijackThis log.

Regards,
  • 0

#4
CMTaylor

CMTaylor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks so much for the quick response. I was going to leave it and go to work, but I've followed your instructions now.

Please note that I did a bit of a "no-no" according to your main guidelines. Instead of leaving the system running after the first HJT log I rebooted into "Safe Mode With Networking" so my wife could check her email. She did this with Outlook, then we turned the PC totally off. Realizing my error, I restarted it and did another HijackThis and then diffed the logs. They were slightly different. At that point I was going to post the new log, but I saw your response so I followed all the instructions.

About:Buster runs 2 scans by itself, but I repeated this so actually 4 scans were done. If found a few things to fix the first time... I have the log if you're interested. CWShredder didn't find anything.

When I did the HijackThis scan to check the items you listed the first item was not present. All others were. I checked these and removed them. Then I did the RegEdit bit. Here's the new HijackThis scan log:

Logfile of HijackThis v1.99.1
Scan saved at 10:18:36 AM, on 26-May-05
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALURIA~2\asKernel.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Martin\My Documents\Downloads\Software\Anti-Spyware\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.r3.attbi.com;;localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\PROGRA~1\ALURIA~2\ascserv.exe
O23 - Service: asKernel - Unknown owner - C:\PROGRA~1\ALURIA~2\asKernel.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I'll wait 10 minutes for a possible reply, but then I really have to get to work. If I don't get a quick reply it will be late tonight or tomorrow before I can get back to this.

Thanks again!
  • 0

#5
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts
Well. It looks good from here. :tazz:

Let me know if your computer is behaving as it should.

Regards,
  • 0

#6
CMTaylor

CMTaylor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I'm doing an extremely thorough check of my PC this weekend with all the various Spyware and Virus scanners that I have access to. So far nothing has been found. I do still have one concern: I can't turn on Norton Firewall and Norton AntiVirus real-time checking. I've done an update of those tools but that didn't help. If everything shows clean after all my scans then I'll probably contact Symantec for assistance in restoring those tools, unless you have any useful suggestions there.

I really appreciate your prompt and thorough help in getting my system cleaned. I've seen that some sites like this have PayPal contribution buttons but I don't see one here. I'd like to help in this way if you have such a contribution scheme.

Thanks again!
  • 0

#7
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts
You can also try this for your Norton products:

https://www-secure.s...on.jsp?ref=sup4

It should provide you with any updates you may be missing.

For Donations to the site:
http://www.geekstogo..._Site-t132.html

Regards,
  • 0

#8
CMTaylor

CMTaylor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I've thoroughly checked my system and there seems to be no Spyware left. However, I still have some residual problems from the spyware that I did have.

1. I can't connect to any "hhtps://" site in either FireFox nor Internet Explorer

2. I can't restore my Norton settings 'cause it says "You don't have permission" (I have administrator rights)

Are these things that you can advise and help with?

Thanks!
  • 0

#9
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts
You are the second one having problems with https sites. :tazz:
Check in IE under Help > About if encription is at 128 bits

If this is so then click Start > Run > copy&paste regedit /e C:\https1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https" > OK

This will create the file C:\https1.txt
Post the content of that file.

If it is not at 128 bits, let me know, since we will have to install that.

Regards,
  • 0

#10
CMTaylor

CMTaylor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here's the results of the registry extract:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https]
@="URL:HyperText Transfer Protocol with Privacy"
"EditFlags"=dword:00000002
"URL Protocol"=""
"Source Filter"="{E436EBB6-524F-11CE-9F53-0020AF0BA770}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\DefaultIcon]
@="C:\\PROGRA~1\\MOZILL~1\\FIREFOX.EXE,1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell\open]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell\open\command]
@="C:\\PROGRA~1\\MOZILL~1\\FIREFOX.EXE -url \"%1\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec]
@="\"%1\",,0,0,,,,"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application]
@="Firefox"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Topic]
@="WWW_OpenURL"


I'm guessing that the line I highlighted in red is the problem... right?
So... what do I do with it? :tazz:
  • 0

Advertisements


#11
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts
Hmm. Not so sure.
It looks as if FireFox has claimed the use of secure sites

Can you surf to http://www.verisign....isor/check.html
Let me know the results.

Regards,
  • 0

#12
CMTaylor

CMTaylor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I got 3 checkmarks and "no changes required" from this security scan. I don't think the problem is at the browser level. I think that when the spyware corrupted my system it somehow replaced or infected my WinSocks layer. How else could it have prevented me from visiting anti-spyware sites, even when I was using FireFox in Safe mode? I've tried fixes to the WinSock registry entries, but is there some reliable place I can go to get clean copies and reinstall just this part of Windows? Do you think it would be safe, and effective, to upgrade my system now from SP1a to SP2?

Thanks for your continued advice and support!
  • 0

#13
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts
Either use WinsockFix like this:
http://www.tacktech....ay.cfm?ttid=257

Other option they often use to prevent you from visiting security related sites is your hosts file.
To disable it find:
C:\WINDOWS\System32\drivers\etc\hosts
and rename it to hosts.bak

Let me know which one works. I have someone else with a similar problem.

Regards,
  • 0

#14
CMTaylor

CMTaylor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I've already tried a couple of WinSock fixers like this, and the hosts file is in its default state. I still can't get to any https:// site. Attached is an example of the error message I get.

Attached Files


  • 0

#15
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts
And when you try:

https://my.screennam...login/login.psp

Let me know,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP