Browser redirect/about:blank/other problems...
 

I have a browser redirect problem and the about:blank page defaulting to one of those annoying "web search" pages. I also have "Your computer might be at risk" balloons that pop-up pretending to be Windows and files called winwiz32.exe and sprmover.exe that keep attempting to access the internet through my firewall.

I've scanned with Lavasoft Adaware SE, Spybot S&D and removed a "Freshbar" toolbar I had (which keeps coming back) with remv3. I have Norton Antivirus and Internet Security with up-to-date definitions. I've read the "Helping yourself" thread and it seems I've done everything I can myself so far...

Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 22:48:50, on 21/02/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton Internet Security\NISUM.EXE
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Norton Internet Security\SymProxySvc.exe
F:\Program Files\Norton Internet Security\NISSERV.EXE
F:\WINDOWS\SYSTEM32\USRmlnkA.exe
F:\WINDOWS\SYSTEM32\USRshutA.exe
F:\WINDOWS\SYSTEM32\USRmlnkA.exe
F:\PROGRA~1\NORTON~1\navapw32.exe
F:\Program Files\Norton Internet Security\IAMAPP.EXE
F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
F:\WINDOWS\System32\sprmover.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\remv3\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btinternet.com/DiallerChe...btinternet.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E5D2AE1E-6B15-40B6-95F8-81898FD654D5} - F:\WINDOWS\System32\qwsxp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [USRpdA] F:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [IMJPMIG8.1] F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] F:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [BTopenworld] "f:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://69.50.166.214/counter/new/x.chm::/update.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templ...control023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{52900464-9E5C-4E42-A01A-75BEA76A6C29}: NameServer = 69.50.188.180,195.225.176.31
O18 - Filter: text/html - {11A778CB-7F40-48E7-9223-8B8BE3D4C45C} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5�ò"DÆR - {A1A8A07C-CE32-4791-BA1C-2EC5D55CB86F} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5�ò�TÆR - {492F22A1-A110-4271-9440-ABDF7A82C581} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5�òžEÆR - {F80D4AD0-2F16-4214-B9A6-352A9843D75B} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5�ò‰EÆR - {11A778CB-7F40-48E7-9223-8B8BE3D4C45C} - F:\WINDOWS\System32\qwsxp.dll
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


I think I need to delete some of the SearchAssistant entries but I'm no expert in whether this will solve the problem...

It seems strange I've put a smiley at the title of a virus thread, well I thank you in anticipation for your help!

Re: Browser redirect/about:blank/other problems...
 

OK- let's start with this:

1. Have HJT fix:

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {E5D2AE1E-6B15-40B6-95F8-81898FD654D5} - F:\WINDOWS\System32\qwsxp.dll
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://69.50.166.214/counter/new/x.chm::/update.exe
O18 - Filter: text/html - {11A778CB-7F40-48E7-9223-8B8BE3D4C45C} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5�ò"DÆR - {A1A8A07C-CE32-4791-BA1C-2EC5D55CB86F} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5�ò�TÆR - {492F22A1-A110-4271-9440-ABDF7A82C581} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5�òžEÆR - {F80D4AD0-2F16-4214-B9A6-352A9843D75B} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5�ò‰EÆR - {11A778CB-7F40-48E7-9223-8B8BE3D4C45C} - F:\WINDOWS\System32\qwsxp.dll


2. Verify that the following IP address is a valid address for your ISP's DNS server. If it isn't, remove it from the DNS server list in your network card's TCP/IP properties:

69.50.188.180


3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- Delete the following file (and let us know if you are you are unable to locate it):
F:\WINDOWS\System32\qwsxp.dll

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.


4. Go to the following two sites and run their free online anti-virus/anti-spyware scans. Let us know the results.

http://www.pandasoftware.com/actives..._principal.htm
http://housecall.trendmicro.com/


5. Run HJT again and post a fresh log.

Re: Browser redirect/about:blank/other problems...
 

I've completed step 1 but I'm unable to find the DNS server list. I've followed tutorials and it seems I was looking in the right place, but in my Network Connections there is no Networking tab and nothing that takes me to where I seem to need to be (I've tried every possibility..)...

Re: Browser redirect/about:blank/other problems...
 

It has to be there, unless something has gotten seriously fouled up on your computer.

Specific directions for XP (you'll need to be logged in under an account with administrative permissions):

1. Under your Start button menu, go to Settings->Control Panel->Network Connections.

2. Right-click on the entry for your particular network connection/device and choose "Properties".

3. In the "This connection uses the following items" list in the General tab of the Properties window, scroll down to the Internet Protocol (TCP/IP) item and double-click on it.

4. Your basic DNS settings will be displayed in the resulting properties window; click on the "Advanced " button to bring up the "Advanced TCP/IP Settings" and then click on the "DNS" tab to access your full DNS settings.

Re: Browser redirect/about:blank/other problems...
 

This is quite frustrating as I've seen the extra tabs in the Network Connections area before (though this may have been on Windows 98 as I only upgraded to XP last year).

The connection is BTOW (BT Openworld). All I have is a General tab that displays a drop-down box with my modem details and Phone Number underneath. The Advanced tab has an Internet Connection Firewall checkbox and a Settings button that is blanked out.

Re: Browser redirect/about:blank/other problems...
 

Sorry- I didn't realize that it's a dial-up modem; the Properties are layed out a bit differently for that. Something still seems amiss though- you should have a "Networking" tab in the modem properties; your TCP/IP settings would be under that.

It sounds like you know what you're looking for (and that you are looking in the right place). Not being able to physically site down at your machine, I don't really know what to suggest except to keep poking around. :?:

Re: Browser redirect/about:blank/other problems...
 

I've completed everything apart from step 2. The about:blank problem has stopped but I'm still getting the 2 files I mentioned accessing the internet (sprmover.exe and winwiz32.exe - is it safe to delete them?), the Spyware 'help' balloons and a fake "System Guard" pop-up when I block them. Also an extra frame occasionally appears at the bottom of my browser window telling me about Spyware. I'm also still getting the pop-ups I had with links to gambling/'dating' sites etc...

Something I forgot to mention before, when I log onto my computer and click on my BT Yahoo connection it takes a while (around a minute) for the relevant dialogue box to appear (everything is fully loaded, this didn't happen before the virus).

Results of the scans:

Activescan:

Incident Status Location
Adware:Adware/Megatds No disinfected F:\WINDOWS\System32\msufe.dll

Spyware:Spyware/FastSearchWeb No disinfected Windows Registry

Housecall:

TROJ SMALL.ZJ Non Cleanable F:\System Volume Information\_restore{DD9BC53B-BF61-47D1-B063-BCBF02FACC60}\RP3\A0000543.EXE
TROJ SMALL.ZJ Non Cleanable F:\System Volume Information\_restore{DD9BC53B-BF61-47D1-B063-BCBF02FACC60}\RP3\A0000548.EXE

Logfile of HijackThis v1.99.1
Scan saved at 15:33:17, on 26/02/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton Internet Security\NISUM.EXE
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Norton Internet Security\NISSERV.EXE
F:\WINDOWS\SYSTEM32\USRmlnkA.exe
F:\WINDOWS\SYSTEM32\USRshutA.exe
F:\WINDOWS\SYSTEM32\USRmlnkA.exe
F:\PROGRA~1\NORTON~1\navapw32.exe
F:\Program Files\Norton Internet Security\IAMAPP.EXE
F:\Program Files\Norton Internet Security\SymProxySvc.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINDOWS\System32\ctfmon.exe
F:\WINDOWS\System32\wuauclt.exe
F:\Program Files\Microsoft Office\Office10\WINWORD.EXE
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
F:\WINDOWS\System32\notepad.exe
F:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
F:\WINDOWS\System32\sprmover.exe
F:\WINDOWS\System32\smbdins.exe
F:\WINDOWS\System32\sethcd.exe
F:\remv3\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btinternet.com/DiallerChe...btinternet.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [USRpdA] F:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [IMJPMIG8.1] F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] F:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [BTopenworld] "f:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templ...control023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{52900464-9E5C-4E42-A01A-75BEA76A6C29}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{DAF9B6CD-E823-4F30-9031-9DC3E52CEC5D}: NameServer = 213.1.119.99 213.1.119.100
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Thanks.

Re: Browser redirect/about:blank/other problems...
 

Yes, definitely- we'll get to that in a moment.

1. Housecall found infected files in your System Restore folder; you'll need to turn off the Restore function to flush those out. Instructions are here: http://www.daniweb.com/techtalkforums/thread13362.html.


2. Reboot into Safe Mode again, and:

- Delete the following files:

F:\WINDOWS\System32\winwiz32.exe
F:\WINDOWS\System32\sprmover.exe
F:\WINDOWS\System32\smbdins.exe
F:\WINDOWS\System32\sethcd.exe

- Delete the entire contents of your C:\Windows\Prefetch folder.

- Empty your Recycle Bin.

- Reboot normally.


3. Run HJT again and post a new log.

Re: Browser redirect/about:blank/other problems...
 

I forget to mention I have also blocked a file called mcafee32.exe - judging by research I've done I think I should delete this too?

New log:

Logfile of HijackThis v1.99.1
Scan saved at 23:19:08, on 26/02/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton Internet Security\NISUM.EXE
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Norton Internet Security\NISSERV.EXE
F:\WINDOWS\Explorer.EXE
F:\Program Files\Norton Internet Security\SymProxySvc.exe
F:\WINDOWS\SYSTEM32\USRmlnkA.exe
F:\PROGRA~1\NORTON~1\navapw32.exe
F:\Program Files\Norton Internet Security\IAMAPP.EXE
F:\WINDOWS\SYSTEM32\USRshutA.exe
F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
F:\WINDOWS\SYSTEM32\USRmlnkA.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\remv3\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btinternet.com/DiallerChe...btinternet.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [USRpdA] F:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [IMJPMIG8.1] F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] F:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [BTopenworld] "f:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templ...control023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{52900464-9E5C-4E42-A01A-75BEA76A6C29}: NameServer = 69.50.188.180,195.225.176.31
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


-Alex.

Re: Browser redirect/about:blank/other problems...
 

I've just read something on my Network Connections, "The properties for this connection have been optimised for you. There are no user definable settings that can be made for this connection other than choice of modem." This could be why I couldn't locate those IP address details earlier...