NAV, Spybot S&D, Ad-Aware, and TrojanHunter all show my system as clean. All those programs are up-to-date as is Windoze. When using IE (I mostly use Firefox, now), I've been seeing what looks like a momentary redirect when accessing the homepage set in IE (My.MSN.com) for the first time after boot. It goes through the login sequence then pops up a text line that says "Object Moved Here" . Clicking Here takes me to the My.MSN page. I should say that this allways happened since I changed that homepage to My.MSN.com (a couple of weeks ago). Sometimes it will not connect and I have to close IE several times before it finally does.

So, tonight I ran an online scan using Housecall. I just do that as a matter of routine every so often. Normally, it runs clean. Tonight there was a script error reported when I clicked start the scan. I chose not to run any more scripts and the scan started. When it finished it said I had one virus/trojan that was uncleanable. The file identified is unstsa2.exe. Trend Micro said it is a Trojan keylogger. Norton's online database at sarc.com/avcenter/venc/data/pf/adware.blazefind.html (http://) calls it Adware.BlazeFind and says it redirects searches to BlazeFind.com. I don't see that happen. Norton also says, The program performs the following actions: 1. Creates the following files:
* %System%\2_0_1browserhelper2.dll
* %System%\UnstSA2.exe
* %System%\key2.txt

The second and third are in the system, the first is not. I ran a HJT log and as far as I can see there's nothing unusual.

Again, NAV, Spybot, Ad-aware and TrojanHunter run clean. What do you think?

That sure looks like remnants of blazefind. The first one "%System%\2_0_1browserhelper2.dll" which you didn't find is the baddie there.

You can safely delete those files, before doing that post a HijackThis log which will show whether you have blazefind or not.

HijackThis 1.98.1 (http://www.majorgeeks.com/download3155.html)

I'm now at work so I'll have to post the log when I get home. I ran it using HJT 1.98. I've downloaded 1.98.1 and will use that for the post.

I looked at the key2.txt file and it's really a binary with some ASCII. The ASCII shows that it's a BHO and does some stuff with opening/changing the IE connection. The HJT log only showed three BHO's and those all looked "legit" and familiar ... but then I'm not an expert with HJT logs, just a learner.

It's interesting that NAV didn't declare the detection. I wonder if it looks for all three files and the associated registry changes before doing so whereas Housecall may have made the detection solely based on the presence of the UnstSA2.exe file? The other question is how did it get in when I have a hardware firewall, software firewall, NAV, and TrojanHunter Guard running all the time?

In any case I want it out of there.

OK, I did more research and here's some of what I found:

These two files still exist: UnstSA2.exe and key2.txt. References to the related baddie are also located in a Firefox cache file (BHO List V1.0 by Merijn; how does Firefox use this list?) and also in an Ad-Aware log file from a month ago. What I think happened is that I ran Ad-Aware, it detected the BlazeFind malware and removed the 2_0_1browserhelper2.dll file. The associated registry entries appear to have been fixed, too.

I will remove the two remnant files. Here's my HJT log. As far as I can tell, it is clean. Can you confirm, please?

Logfile of HijackThis v1.98.1
Scan saved at 1:52:08 PM, on 8/5/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Documents and Settings\Will\Desktop\framxpro\FreeRAM XP Pro 1.40.exe
C:\Program Files\Topmost Clock\TopMostClock.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Will\Desktop\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [TopmostClock] C:\Program Files\Topmost Clock\TopMostClock.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [url]http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab[/url]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5/asinst.cab[/url]
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - [url]http://fdl.msn.com/public/investor/v13/ticker.cab[/url]
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

your log looks fine. You would have viewed the bho list using firefox, that may be the reason for its appearance in the cache. Though they can do no harm with out the dll file, delete those two files and clear the firefox cache and adaware log to avoid tagging by housecall.

Thanks.

poppop,

Good pickup on those remnants!

Just something different about Firefox, it does not have a checkbox to clear cache on exit. You have to go to Tools>Options>Privacy and click the clear cache button. I leave Privacy expanded to make it easier, then OK on the bottom (opens to privacy when I go back).

Thanks for the info. I've learned quite a bit about sniffing out malware since I've been posting here thanks to all you people.

I think a clear cache on exit would be a good option for FF to add sometime.:)