Need help with...not sure what

Hello, all, I am a newbie to security & privacy software. I also have an unfortunate habit of not learning about my PC's innards until I need to, so please bear with me.

I had finally become tired of pop-up ads and asked for suggestions on privacy software. I had recommended to me adding Spy-bot, Ad-aware and SpywareGuard.

I added Spy-bot first (this week on Tuesday) and on Wednesday my browser was hijacked. I added SpywareGuard and Ad-Aware that day and got my browser back. I have since added SpywareBlaster.

Now, my problem is that I get about a bijillion open files, empty, lined up at the bottom of my computer screen, as if I had opened a program but nothing's there. My brother tells me I probably am getting pop-ups from something that's still on my pc, but the privacy software is keeping the bot from getting access to its web site.

We went through all my star-up programs together and deleted likely suspects, but I continue to get these empty programs.

I am running on Windows 98. The empty pop-ups don't show up when I'm on-line, only when the PC isn't in use. If I do a Control-Alt-Delete to see which programs are running, I can identify all of them and they are supposed to be on my system.

Help! Help! What can I do now?

 

Hi HuskyNan,

Could you post your HijackThis log
Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
Don´t fix anything yet. Most of what it finds is harmless.

Regards,

Pieter

 

Here's the log from Hijack This. Last night I deleted something in the program files from New.Net but I still have the problem.


Logfile of HijackThis v1.97.2
Scan saved at 4:34:51 PM, on 9/20/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMON32.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\CREATIVE\PLAYCENTER2\CTNMRUN.EXE
C:\WINDOWS\RunDLL.exe
C:\HP PHOTOSMART\PHOTO FINISHING SOFTWARE\ONLINEREG\REMIND32.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\SBC\CONNECTION MANAGER\CMANAGER.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://connecticut.rivals.com/forum.asp?sid=1039&fid=1367&style=1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\sfvrvj7g.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\sfvrvj7g.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [lhsfobc] "C:\WINDOWS\SYSTEM\LHSFOBC.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [NOMAD Detector] "C:\CREATIVE\PLAYCENTER2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = D:\Publisher\Office10\OSA.EXE
O4 - Startup: Reminder-hpc40404.lnk = C:\HP PhotoSmart\Photo Finishing Software\OnLineReg\Remind32.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yse/yinstmulti.cab

 

Hi HuskyNan,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [lhsfobc] "C:\WINDOWS\SYSTEM\LHSFOBC.exe"
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

Then reboot and delete:
C:\PROGRAM FILES\NEWDOTNET <= entire folder

Then pay the Windows Update site a visit and install at least all the critical updates.

Keep us posted if that helps,

Pieter

 

Last night I deletd

O4 - HKLM\..\Run: [lhsfobc] "C:\WINDOWS\SYSTEM\LHSFOBC.exe"

then found out my IP software didn't work. When I reloaded it, my IP came up OK. Is there anyway of finding if SBC has this spyware imbedded in it's software or if it's somehow connected? I didn't delete it today.

I am typing this from my kids' computer because IE is giving me an error message. I'm told that

"This page cannot be displayed" and that the web site may be experiencing technical difficulties or that my browser may need to be adjusted. I am using IE 6.0. Any suggestions?

 

Hmm. Could you send me a copy of C:\WINDOWS\SYSTEM\LHSFOBC.exe
to the email address in my profile?

I'll have a look and will let you know.
Restore it if that bring back your connection.
If it doesn't download LSPFix from http://www.cexx.org/lspfix.htm and use that to remove unwanted entries from your LSP stack.

Regards,

Pieter

 

I apologize for not explaining my problem well.

I didn't delete the LHSFOBC.exe file when I deleted the others because it did cause problems last night. I deleted the other 5 that you suggested I delete. They were:

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

Now, whenever I try to go into IE or Netscape, I am unable to access the internet. Both browsers tell me that they are unable to access the page I am requesting.

I checked the internet connection and it said it was operating normally. I simply am not able to get on-line because the browsers give me error messages.

Unfortunately, SBC Yahoo forces me to use their mail system, so I am unable to e-mail you the LHSFOBC.exe information. I am also unable to download any fixes.

Everything else on our PC is working fine and we no longer have the pop-ups that were the reason I came here in the first place

 

I am back on-line. I ran Spybot and AdAware then tried to come back on-line again and here I am. It makes no sense, but it works.

How can I send you a copy of the

C:\WINDOWS\SYSTEM\LHSFOBC.exe

I find it listed under C:\Windows\System and also under C:\Windows\Temp. I will be glad to send you a copy but am not sure how to do what you need.

 

The file Pieter would like a look at is the one in C:\Windows\System.

As for sending him a copy, does this help?

How can I add an attachment to a message?

 

OK< thank you very much.

By the way, I can now access the internet, but the empty pop-ups are back.

 

Try the following:

Copy the bold lines to Notepad, and save as Taskbar.reg (save as 'all file types' ).

Doubleclick Taskbar.reg, and answer 'yes' to the prompt to add its contenbts to the registry.

Now restart your computer, and tell us whether that has helped.


REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StuckRects]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop]



Good luck,

 

The file we had been discussing appears to be a big problem. I am referring to

C:\Windows\System\LHSFOBC.exe

I tried to send a copy to Pieter, but Yahoo told me it was a virus so I didn't send it.

I updated McAfee and ran a virus scan, and it showed up as a virus but McAfee was unable to clean it. Do I just delete it from my system?

 

If both McAfee and Yahoo tell you the file is viral in nature, it's unlikely to be a brand new baddie.

However, do feel free to send Pieter a copy, if Yahoo will allow you to.
He'll be prepared for that eventuality.

After sending him a copy, feel free to delete the file.

 

I'm sorry to sound so clueless but please bear with me.

1. Where do you want me to open notepad?

2. The file C:\Windows\SYstem\LHSFOBC.exe refuses to be deleted. My PC tells me it's running. So, how do I get rid of it?

Thank you, Tony and Pieter, for all your help and your patience.

 

Just go to Start > Run, type Notepad and hit 'enter'.

Notepad will launch. Now copy those three bold lines and paste them into that new text document.

Save anywhere you like as Taskbar.reg (make sure you save the file as 'all file types' ).

Doubleclick your newly created Taskbar.reg file, and answer 'yes' when prompted to add its contents to the registry.


As for the file being in use, do a Ctrl-Alt-Delete in order to bring up Task Manager.
Highlight the LHSFOBC process, and choose 'end task'..
Subsequently you'll be able to delete it.
Alternatively start your computer in Safe Mode, and delete it there.


Good luck,

 

Well, I've deleted the C:\Windows\System\LHSFOBC.exe program and added the lines to the REGEDIT as was suggested and I'm still getting the empty pop-ups. Here's the Hijack This log that I just copied. I'd really love to get rid of the pop-ups.


Logfile of HijackThis v1.97.2
Scan saved at 2:37:37 PM, on 9/21/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMON32.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\CREATIVE\PLAYCENTER2\CTNMRUN.EXE
C:\WINDOWS\RunDLL.exe
C:\HP PHOTOSMART\PHOTO FINISHING SOFTWARE\ONLINEREG\REMIND32.EXE
C:\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\SBC\CONNECTION MANAGER\CMANAGER.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://connecticut.rivals.com/forum.asp?sid=1039&fid=1367&style=1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\sfvrvj7g.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\sfvrvj7g.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [NOMAD Detector] "C:\CREATIVE\PLAYCENTER2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = D:\Publisher\Office10\OSA.EXE
O4 - Startup: Reminder-hpc40404.lnk = C:\HP PhotoSmart\Photo Finishing Software\OnLineReg\Remind32.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yse/yinstmulti.cab

 

Hi HuskyNan,

This still needs fixing:
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup

Could you check the properties of one of these mystery pop-ups and tell us what they say?

Regards,

Pieter

 

When I check for properties, I usually use my right mouse button, click then choose Properties from the menu, so I assume that's what you wanted me to do? Anyway, nothing happens if I right click on the empty program. If I click and hold the right mouse button a couple of the empty programs "named" themselves (Sorry I don't know the right term)

One of the empty programs said "favorites" and the other said "CiceroUIWndFrame".

I have deleted the

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup

I deleted it yesterday too, so it has come back somehow. Isn't SpywareBlaster supposed to prevent that?

 

Hi HuskyNan,

Do you have Office XP?

NewDotNet is not running, so SpywareBlaster is doing it's job allright.

Regards,

Pieter

 

We have Windows 98 on our PC.

I think I may have solved my problem, although I'm not sure how it started. I decided to simply watch my PC to see how long it took for the empty programs to start. As it turns out, they showed up when our screen saver would normally start up. So, I simply changed the type of screen saver and the time it takes to come up and we've had no more empty programs since then.

I don't understand why this started happening right after we started using the privacy software. I thought the privacy software and the empty programs must be related, but perhaps not?