"Connect to msnusers.com" Launches when clicking on my documents and settings folder.

I'm using XP Pro with SP1 and all critical updates. I have single user PC and it's set up that way. I am not on a network. When I left click on the folder with my name, all users or the default user in Documents and Settings, a pop-up launches titled "Connect to www.msnusers.com" with user name and password entry boxes. I have to close it 3 - 4 times before it remains closed. I do not have an MS Passport account and the MS .NET Framework has been uninstalled. This is new behavior and I can't figure out what's happening. The pop-up shows up in Task Manager as a running app associated with the explorer.exe process. I've cleaned out all temp files, cookies and the prefetch. I've cleaned up the registry with Ace Utiltities. I don't see anything suspicious in startup or running processes. Ad-Aware and Spybot don't come up with anything. PC-cillin comes up clean. I'm out of ideas. I'd appreciate any help anyone can provide.

 

Download Hijackthis. Put it in a folder other than temp or desktop or similar. Maybe make a new folder under C:\ called HJT or AntiSpyware or something.

With all windows closed, run Hijackthis and when it finishes, opt to have it create a scan log. The log will open in notepad and when it does, select all and post the log here. We need the entire thing. If you are badly eaten up it may take two posts to get it all in the thread since it could easily exceed the maximum allowed length for a single post.

 

Here's the log:

Logfile of HijackThis v1.97.7
Scan saved at 7:28:14 PM, on 6/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\$ISR\0\ISRService.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\$ISR\$APP\ISRMonitor.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\WINDOWS\System32\svchost.exe
C:\Downloads\Hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Basic\CCHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper Basic - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Basic\popuppro.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe "
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe "
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe "
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ISR_MONITOR] C:\$ISR\$APP\ISRMonitor.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe "
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38036.7019560185

 

Well, I think you keep your system cleaner than mine usually are. Dang - was hoping for an easy fix here. Ah well, some research needed I guess.

Meanwhile, Process Explorer might give you more information to help track down this problem.

Off topic but how do you like the FirstDefense-ISR? I use GoBack and like it but given what Symantec did with the main parts of the Norton utilities I may need options at some point.

 

I was hoping for something relatively easy too. I'm also hoping to win the lottery but that isn't working out either ;-)

I'm seem to be making a little headway. Something in the registry might be hosed. I did a restore to a checkpoint from a week ago. Now I can just cancel out of the Passport sign-in dialog box once without it reappearing until the next time I open my Documents and Settings/StoneManAl document folder in Explorer. Just to double check, I opened my document folder from My Documents in the Start Panel and also from the My Documents folder in Explorer and didn't encounter the problem. Wierd! Also checked out the .NET items in Control Panle/Administartive Tools to see if there were any configuration options that might be involved nut no luck there. I'll take a look at Process Explorer as you suggested.

I really like First Defense. Bought it as a package with Perfect Disk which I also like. It's really easy to use, it's not resource intensive and gives you a great deal of control over how it functions. It's really nice to have in situations like the one I'm in now. I know I can go back as far as a clean install of XP Pro if need be.

 

Here's more info.

I used Process Explorer as you suggested. While monitoring the threads, I noted that a dll named MSONSEXT loads when the Passport sign-in dialog box opens and unloads when I cancel out of the dialog. This dll is located in Program Files/Common Files/Microsoft Shared/Web Folders. Other than that I haven't been able to find any information on how this could be linked to my StoneManAl documents folder in such a way as to launch the Passport sign-in dialog.

 

Hi StoneManAl, Newt

I see nothing in the log to be alarmed with

Your prompt to sign in is Odd, I wonder what would happen if you got a passport and chosse to automaticly sign in

 

Program Files\Common Files\Microsoft Shared\Web Folders\Msonsext.dll

Not a lot of information out there about that one but I think it is the main binary for WebDAV/Web Folders.

If you use Encrypted File System (EFS) to encrypt and decrypt files, and you want to keep the files encrypted when they are shared across the network, use Web Distributed Authoring and Versioning (WebDAV) and Web Folders.

Lonnie's suggestion might work.

If not and based on the above, if you think maybe you don't need it, you might try renaming it to Msonsext.dll.old. My system doesn't seem to have a copy in the dllcache so it probably isn't a system protected file and thus won't be immediately replaced if you rename it. Then see if you broke anything.

 

I tried signing up for a Passport account and that stopped the behavior for 1 day. The next morning, after boot up, the behavior reappeared. I changed the dll name to .old as suggested and that seems to have fixed it permanently. Everything's working. I checked the event log and nothing odd is appearing there. I cancelled my Passport account and and that didn't have any effect. I don't know how the document folders became linked with the Passport sign-in but at least it appears to be disabled without any adverse consequences.

Thank you both very much for your help. Thanks also for the tip on Process Explorer. It's a really nice tool and without it I don't think I would have found the dll involved in my problem.

 

Great news. Now all we need is for some really bright person to post the reason that particular thing was happening.

Still, if it is no longer happening and nothing else broke, that's a good thing.