Pieter, need just a little help.

Logfile of HijackThis v1.97.7
Scan saved at 9:46:29 AM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Forrest\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1033
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38099.4376851852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB64074F-2C2B-4793-AB2B-B67EF6C8F221}: NameServer = 68.82.0.5,68.82.0.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{EED42966-7D8D-45C0-AB7C-D52193D996D3}: NameServer = 68.82.0.5,68.82.0.6

I've run ad-aware prior to running hijack this.
I have a descent understanding of how this about blank thing works. I just need help finding the hidden offending file. find-all is no longer available and the replacement isn't working for me. Could you help?

 

Copy the contents of the bold text to Notepad.
Name the file Appinit.bat
Save as type *All Files*
Save on the Desktop.

Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
ren windows1.hiv windows.txt

Double click on Appinit.bat
This will create a file on the desktop named windows.txt
Post the content please.

Regards,

Pieter

 

I've attached the file Pieter. And thank you very much for your attention.

 

Did you see it?

AppInit_DLLsÖæGÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ m s b . d l l

So your hidden file is C:\Windows\System32\msb.dll

Good luck and holler if you need help.

Regards,

Pieter

 

I didn't even look, I thought it was all jibberrish. Next time I'll look!

My next step would be rc correct? Any special commands other than del c:\windows\system32 msb.dll?

And if you have time, how exactly did your prog find that?

You are a great guy. I'd like to make some sort of contribution. Suggestions?

 

That command reads a part of the registry and turns it into a text file.

Some of the jibberish is put there on purpose so you won't find out that that dll is starting from the AppInit_DLLs key.

The Recovery console is the surest way to get rid of it.
There is a program called TheKillbox that will often work or any other program that allows you to use MoveFileEx():
http://support.microsoft.com/default.aspx?scid=kb;EN-US;140570

Regards,

Pieter

 

So far so good. Deleted the file from rc.

Not interested in contributions Pieter?
You deserve something for your efforts. Payin you enough?

 

also, I just followed that path in the registry and the entry still points to the msb.dll offender. Leave that alone?

 

It is visible now so you can delete the value, not the registry key.

Follow the link my signature.

Regards,

Pieter