 |  |  |  |  |  |  |  |
Browser redirect/about:blank/other problems...
 |
•
•
Join Date: Feb 2005
Posts: 51
Reputation: 
Solved Threads: 1
Junior Poster in Training
Norton has now found a trojan horse called opensdl.exe...it wasn't long after I ran that vbs script (I'm always wary about downloading ANYTHING)...I haven't been on any 'dodgy' sites as far as I know so this is quite annoying...
Norton has managed to quarantine opensdl.exe...
Norton has managed to quarantine opensdl.exe...
www.last.fm/music/The+Cakes
One day to go!
www.holeinmyhead.co.uk
Gig & travel photos, writing, artwork & other stuff...
One day to go!
www.holeinmyhead.co.uk
Gig & travel photos, writing, artwork & other stuff...
•
•
•
•
Originally Posted by TheAlex
Norton has now found a trojan horse called opensdl.exe
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
•
•
Join Date: Feb 2004
Posts: 10,018
Reputation: 
Solved Threads: 759
You need to do a search of your PC for the following files and delete all instances that you find;
rdspclips.exe
sprmover.exe
F:\WINDOWS\System32\msufe.dll
Safe mode would be the go here too. Otherwise they may not delete.
In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.
Please post an hijackthis log after a reboot and also another silent runners log.
I doubt whether those files were downloaded with silent runners, as this tool is recommended on many sites
.
rdspclips.exe
sprmover.exe
F:\WINDOWS\System32\msufe.dll
Safe mode would be the go here too. Otherwise they may not delete.
In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.
Please post an hijackthis log after a reboot and also another silent runners log.
I doubt whether those files were downloaded with silent runners, as this tool is recommended on many sites
. Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
•
•
Join Date: Feb 2005
Posts: 51
Reputation:
Solved Threads: 1
Junior Poster in Training
•
•
•
•
Originally Posted by DMR
Is that the correct spelling of the infected file? I can't find any info on it...
I'm about to delete those files so I'll report back after.
www.last.fm/music/The+Cakes
One day to go!
www.holeinmyhead.co.uk
Gig & travel photos, writing, artwork & other stuff...
One day to go!
www.holeinmyhead.co.uk
Gig & travel photos, writing, artwork & other stuff...
•
•
Join Date: Feb 2005
Posts: 51
Reputation:
Solved Threads: 1
Junior Poster in Training
Logfile of HijackThis v1.99.1
Scan saved at 21:59:57, on 02/03/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton Internet Security\NISUM.EXE
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Norton Internet Security\NISSERV.EXE
F:\Program Files\Norton Internet Security\SymProxySvc.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\SYSTEM32\USRmlnkA.exe
F:\PROGRA~1\NORTON~1\navapw32.exe
F:\WINDOWS\SYSTEM32\USRshutA.exe
F:\Program Files\Norton Internet Security\IAMAPP.EXE
F:\WINDOWS\SYSTEM32\USRmlnkA.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\remv3\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btinternet.com/DiallerChe...btinternet.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Name - {3A90D030-B644-4899-9C75-CAAB7977E62D} - F:\WINDOWS\System32\msufe.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [USRpdA] F:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [IMJPMIG8.1] F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] F:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [BTopenworld] "f:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [rdspclips.exe] rdspclips.exe
O4 - HKLM\..\Run: [sprmover.exe] sprmover.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templ...control023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{52900464-9E5C-4E42-A01A-75BEA76A6C29}: NameServer = 69.50.188.180,195.225.176.31
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
"Silent Runners.vbs", revision 31.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "F:\WINDOWS\System32\ctfmon.exe" [MS]
"msnmsgr" = ""F:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"USRpdA" = "F:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA" ["U.S. Robotics Corporation"]
"IMJPMIG8.1" = "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32" [MS]
"PHIME2002ASync" = "F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"NAV Agent" = "F:\PROGRA~1\NORTON~1\navapw32.exe" ["Symantec Corporation"]
"iamapp" = "F:\Program Files\Norton Internet Security\IAMAPP.EXE" ["Symantec Corporation"]
"BTopenworld" = ""f:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial" ["British Telecommunications plc"]
"HPDJ Taskbar Utility" = "F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"TkBellExe" = ""F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"QuickTime Task" = ""F:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SSC_UserPrompt" = "F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"rdspclips.exe" = "rdspclips.exe" [file not found]
"sprmover.exe" = "sprmover.exe" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{3A90D030-B644-4899-9C75-CAAB7977E62D}\(Default) = "Name" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\msufe.dll" [file not found]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "CNavExtBho Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]
"{eb9ebda0-b3e7-11cf-81c9-0000c0aa665f}" = "FTP Explorer Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "ftpxext.dll" ["FTPx Corp."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
Enabled Scheduled Tasks:
------------------------
"Norton AntiVirus - Scan my computer" -> launches: "F:\PROGRA~1\NORTON~1\NAVW32.exe /task:F:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "F:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Norton AntiVirus Auto Protect Service, navapsvc, "F:\Program Files\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]
Norton Internet Security Accounts Manager, NISUM, "F:\Program Files\Norton Internet Security\NISUM.EXE" ["Symantec Corporation"]
Norton Internet Security Proxy Service, SymProxySvc, "F:\Program Files\Norton Internet Security\SymProxySvc.exe" ["Symantec Corporation"]
Norton Internet Security Service, NISSERV, "F:\Program Files\Norton Internet Security\NISSERV.EXE" ["Symantec Corporation"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
I had already deleted sprmover.exe in Safe Mode, the file creation date of this new file was 02 March 05.
Scan saved at 21:59:57, on 02/03/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton Internet Security\NISUM.EXE
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Norton Internet Security\NISSERV.EXE
F:\Program Files\Norton Internet Security\SymProxySvc.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\SYSTEM32\USRmlnkA.exe
F:\PROGRA~1\NORTON~1\navapw32.exe
F:\WINDOWS\SYSTEM32\USRshutA.exe
F:\Program Files\Norton Internet Security\IAMAPP.EXE
F:\WINDOWS\SYSTEM32\USRmlnkA.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\remv3\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btinternet.com/DiallerChe...btinternet.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Name - {3A90D030-B644-4899-9C75-CAAB7977E62D} - F:\WINDOWS\System32\msufe.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [USRpdA] F:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [IMJPMIG8.1] F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] F:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [BTopenworld] "f:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [rdspclips.exe] rdspclips.exe
O4 - HKLM\..\Run: [sprmover.exe] sprmover.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templ...control023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{52900464-9E5C-4E42-A01A-75BEA76A6C29}: NameServer = 69.50.188.180,195.225.176.31
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
"Silent Runners.vbs", revision 31.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "F:\WINDOWS\System32\ctfmon.exe" [MS]
"msnmsgr" = ""F:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"USRpdA" = "F:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA" ["U.S. Robotics Corporation"]
"IMJPMIG8.1" = "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32" [MS]
"PHIME2002ASync" = "F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"NAV Agent" = "F:\PROGRA~1\NORTON~1\navapw32.exe" ["Symantec Corporation"]
"iamapp" = "F:\Program Files\Norton Internet Security\IAMAPP.EXE" ["Symantec Corporation"]
"BTopenworld" = ""f:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial" ["British Telecommunications plc"]
"HPDJ Taskbar Utility" = "F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"TkBellExe" = ""F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"QuickTime Task" = ""F:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SSC_UserPrompt" = "F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"rdspclips.exe" = "rdspclips.exe" [file not found]
"sprmover.exe" = "sprmover.exe" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{3A90D030-B644-4899-9C75-CAAB7977E62D}\(Default) = "Name" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\msufe.dll" [file not found]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "CNavExtBho Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]
"{eb9ebda0-b3e7-11cf-81c9-0000c0aa665f}" = "FTP Explorer Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "ftpxext.dll" ["FTPx Corp."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
Enabled Scheduled Tasks:
------------------------
"Norton AntiVirus - Scan my computer" -> launches: "F:\PROGRA~1\NORTON~1\NAVW32.exe /task:F:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "F:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Norton AntiVirus Auto Protect Service, navapsvc, "F:\Program Files\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]
Norton Internet Security Accounts Manager, NISUM, "F:\Program Files\Norton Internet Security\NISUM.EXE" ["Symantec Corporation"]
Norton Internet Security Proxy Service, SymProxySvc, "F:\Program Files\Norton Internet Security\SymProxySvc.exe" ["Symantec Corporation"]
Norton Internet Security Service, NISSERV, "F:\Program Files\Norton Internet Security\NISSERV.EXE" ["Symantec Corporation"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
I had already deleted sprmover.exe in Safe Mode, the file creation date of this new file was 02 March 05.
www.last.fm/music/The+Cakes
One day to go!
www.holeinmyhead.co.uk
Gig & travel photos, writing, artwork & other stuff...
One day to go!
www.holeinmyhead.co.uk
Gig & travel photos, writing, artwork & other stuff...
•
•
Join Date: Feb 2004
Posts: 10,018
Reputation:
Solved Threads: 759
Looks good . Just some orphaned entries now to remove.
Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.
O2 - BHO: Name - {3A90D030-B644-4899-9C75-CAAB7977E62D} - F:\WINDOWS\System32\msufe.dll (file missing)
O4 - HKLM\..\Run: [rdspclips.exe] rdspclips.exe
O4 - HKLM\..\Run: [sprmover.exe] sprmover.exe
Check the 017 entry and ensure the IP's belong to your ISP. If not, fix that line too.
Apart from that, you are good to go.
You definitely need to get service pack 1 for both XP and IE6 or you'll be back with more goodies.
. Just some orphaned entries now to remove.Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.
O2 - BHO: Name - {3A90D030-B644-4899-9C75-CAAB7977E62D} - F:\WINDOWS\System32\msufe.dll (file missing)
O4 - HKLM\..\Run: [rdspclips.exe] rdspclips.exe
O4 - HKLM\..\Run: [sprmover.exe] sprmover.exe
Check the 017 entry and ensure the IP's belong to your ISP. If not, fix that line too.
Apart from that, you are good to go.
You definitely need to get service pack 1 for both XP and IE6 or you'll be back with more goodies.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
•
•
Join Date: Feb 2005
Posts: 51
Reputation:
Solved Threads: 1
Junior Poster in Training
I was unable to find out where the IP addresses are from in a previous check, so I made backups of them and fixed them on Hijack This. My Internet connection seems to be working fine still, so should it be okay that I've deleted those lines even if they belong to my ISP? There was only one of the IP lines there the first time I scanned with HT so it seems the other one at least has appeared since.
I have the SP2 CD somewhere so I'll update.
Thanks for you help, and I hope this is the end of it!
I have the SP2 CD somewhere so I'll update.
Thanks for you help, and I hope this is the end of it!
www.last.fm/music/The+Cakes
One day to go!
www.holeinmyhead.co.uk
Gig & travel photos, writing, artwork & other stuff...
One day to go!
www.holeinmyhead.co.uk
Gig & travel photos, writing, artwork & other stuff...
•
•
Join Date: Feb 2004
Posts: 10,018
Reputation:
Solved Threads: 759
If you are still able to get online, that's good . Hopefully that is it. Could not see any more.
. Hopefully that is it. Could not see any more. Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
|
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Computer extremely slow - can you please help tell me what's wrong?
- Next Thread: CTFMON32 Hijackthis
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gaming gtaiv gumblar hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn news obama paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista warning windows worm zeroday
