OK- let's start with this:
1. Have HJT fix:
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {E5D2AE1E-6B15-40B6-95F8-81898FD654D5} - F:\WINDOWS\System32\qwsxp.dll
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht! http://69.50.166.214/counter/new/x.chm::/update.exe
O18 - Filter: text/html - {11A778CB-7F40-48E7-9223-8B8BE3D4C45C} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5ò"DÆR - {A1A8A07C-CE32-4791-BA1C-2EC5D55CB86F} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5òTÆR - {492F22A1-A110-4271-9440-ABDF7A82C581} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5òžEÆR - {F80D4AD0-2F16-4214-B9A6-352A9843D75B} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5ò‰EÆR - {11A778CB-7F40-48E7-9223-8B8BE3D4C45C} - F:\WINDOWS\System32\qwsxp.dll
2. Verify that the following IP address is a valid address for your ISP's DNS server. If it isn't, remove it from the DNS server list in your network card's TCP/IP properties:
69.50.188.180
3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)
- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".
- Delete the following file (and let us know if you are you are unable to locate it):
F:\WINDOWS\System32\qwsxp.dll
- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:
1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5
- Delete the entire content of your C:\Windows\Temp folder.
Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.
- Empty your Recycle Bin.
- Reboot normally.
4. Go to the following two sites and run their free online anti-virus/anti-spyware scans. Let us know the results.
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://housecall.trendmicro.com/
5. Run HJT again and post a fresh log.
Browser redirect/about:blank/other problems...
I have a browser redirect problem and the about:blank page defaulting to one of those annoying "web search" pages. I also have "Your computer might be at risk" balloons that pop-up pretending to be Windows and files called winwiz32.exe and sprmover.exe that keep attempting to access the internet through my firewall.
I've scanned with Lavasoft Adaware SE, Spybot S&D and removed a "Freshbar" toolbar I had (which keeps coming back) with remv3. I have Norton Antivirus and Internet Security with up-to-date definitions. I've read the "Helping yourself" thread and it seems I've done everything I can myself so far...
Here is my log:
Logfile of HijackThis v1.99.1
Scan saved at 22:48:50, on 21/02/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton Internet Security\NISUM.EXE
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Norton Internet Security\SymProxySvc.exe
F:\Program Files\Norton Internet Security\NISSERV.EXE
F:\WINDOWS\SYSTEM32\USRmlnkA.exe
F:\WINDOWS\SYSTEM32\USRshutA.exe
F:\WINDOWS\SYSTEM32\USRmlnkA.exe
F:\PROGRA~1\NORTON~1\navapw32.exe
F:\Program Files\Norton Internet Security\IAMAPP.EXE
F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
F:\WINDOWS\System32\sprmover.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\remv3\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btinternet.com/DiallerCheck.htm?dver=3.0?dtype=BTISurfTime?daff=BTI?durl=http://www.btopenworld.com?duser=thealex@btinternet.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E5D2AE1E-6B15-40B6-95F8-81898FD654D5} - F:\WINDOWS\System32\qwsxp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [USRpdA] F:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [IMJPMIG8.1] F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] F:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [BTopenworld] "f:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht! http://69.50.166.214/counter/new/x.chm::/update.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{52900464-9E5C-4E42-A01A-75BEA76A6C29}: NameServer = 69.50.188.180,195.225.176.31
O18 - Filter: text/html - {11A778CB-7F40-48E7-9223-8B8BE3D4C45C} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5ò"DÆR - {A1A8A07C-CE32-4791-BA1C-2EC5D55CB86F} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5òTÆR - {492F22A1-A110-4271-9440-ABDF7A82C581} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5òžEÆR - {F80D4AD0-2F16-4214-B9A6-352A9843D75B} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5ò‰EÆR - {11A778CB-7F40-48E7-9223-8B8BE3D4C45C} - F:\WINDOWS\System32\qwsxp.dll
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
I think I need to delete some of the SearchAssistant entries but I'm no expert in whether this will solve the problem...
It seems strange I've put a smiley at the title of a virus thread, well I thank you in anticipation for your help!
[/b]2. Verify that the following IP address is a valid address for your ISP's DNS server. If it isn't, remove it from the DNS server list in your network card's TCP/IP properties:
69.50.188.180
I've completed step 1 but I'm unable to find the DNS server list. I've followed tutorials and it seems I was looking in the right place, but in my Network Connections there is no Networking tab and nothing that takes me to where I seem to need to be (I've tried every possibility..)...
It has to be there, unless something has gotten seriously fouled up on your computer.
Specific directions for XP (you'll need to be logged in under an account with administrative permissions):
1. Under your Start button menu, go to Settings->Control Panel->Network Connections.
2. Right-click on the entry for your particular network connection/device and choose "Properties".
3. In the "This connection uses the following items" list in the General tab of the Properties window, scroll down to the Internet Protocol (TCP/IP) item and double-click on it.
4. Your basic DNS settings will be displayed in the resulting properties window; click on the "Advanced " button to bring up the "Advanced TCP/IP Settings" and then click on the "DNS" tab to access your full DNS settings.
This is quite frustrating as I've seen the extra tabs in the Network Connections area before (though this may have been on Windows 98 as I only upgraded to XP last year).
The connection is BTOW (BT Openworld). All I have is a General tab that displays a drop-down box with my modem details and Phone Number underneath. The Advanced tab has an Internet Connection Firewall checkbox and a Settings button that is blanked out.
Sorry- I didn't realize that it's a dial-up modem; the Properties are layed out a bit differently for that. Something still seems amiss though- you should have a "Networking" tab in the modem properties; your TCP/IP settings would be under that.
It sounds like you know what you're looking for (and that you are looking in the right place). Not being able to physically site down at your machine, I don't really know what to suggest except to keep poking around. :?:
I've completed everything apart from step 2. The about:blank problem has stopped but I'm still getting the 2 files I mentioned accessing the internet (sprmover.exe and winwiz32.exe - is it safe to delete them?), the Spyware 'help' balloons and a fake "System Guard" pop-up when I block them. Also an extra frame occasionally appears at the bottom of my browser window telling me about Spyware. I'm also still getting the pop-ups I had with links to gambling/'dating' sites etc...
Something I forgot to mention before, when I log onto my computer and click on my BT Yahoo connection it takes a while (around a minute) for the relevant dialogue box to appear (everything is fully loaded, this didn't happen before the virus).
Results of the scans:
Activescan:
Incident Status Location
Adware:Adware/Megatds No disinfected F:\WINDOWS\System32\msufe.dll
Spyware:Spyware/FastSearchWeb No disinfected Windows Registry
Housecall:
TROJ SMALL.ZJ Non Cleanable F:\System Volume Information\_restore{DD9BC53B-BF61-47D1-B063-BCBF02FACC60}\RP3\A0000543.EXE
TROJ SMALL.ZJ Non Cleanable F:\System Volume Information\_restore{DD9BC53B-BF61-47D1-B063-BCBF02FACC60}\RP3\A0000548.EXE
Logfile of HijackThis v1.99.1
Scan saved at 15:33:17, on 26/02/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton Internet Security\NISUM.EXE
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Norton Internet Security\NISSERV.EXE
F:\WINDOWS\SYSTEM32\USRmlnkA.exe
F:\WINDOWS\SYSTEM32\USRshutA.exe
F:\WINDOWS\SYSTEM32\USRmlnkA.exe
F:\PROGRA~1\NORTON~1\navapw32.exe
F:\Program Files\Norton Internet Security\IAMAPP.EXE
F:\Program Files\Norton Internet Security\SymProxySvc.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINDOWS\System32\ctfmon.exe
F:\WINDOWS\System32\wuauclt.exe
F:\Program Files\Microsoft Office\Office10\WINWORD.EXE
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
F:\WINDOWS\System32\notepad.exe
F:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
F:\WINDOWS\System32\sprmover.exe
F:\WINDOWS\System32\smbdins.exe
F:\WINDOWS\System32\sethcd.exe
F:\remv3\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btinternet.com/DiallerCheck.htm?dver=3.0?dtype=BTISurfTime?daff=BTI?durl=http://www.btopenworld.com?duser=thealex@btinternet.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [USRpdA] F:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [IMJPMIG8.1] F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] F:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [BTopenworld] "f:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{52900464-9E5C-4E42-A01A-75BEA76A6C29}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{DAF9B6CD-E823-4F30-9031-9DC3E52CEC5D}: NameServer = 213.1.119.99 213.1.119.100
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Thanks.
... I'm still getting the 2 files I mentioned accessing the internet (sprmover.exe and winwiz32.exe - is it safe to delete them?
Yes, definitely- we'll get to that in a moment.
1. Housecall found infected files in your System Restore folder; you'll need to turn off the Restore function to flush those out. Instructions are here: http://www.daniweb.com/techtalkforums/thread13362.html .
2. Reboot into Safe Mode again, and:
- Delete the following files:
F:\WINDOWS\System32\winwiz32.exe
F:\WINDOWS\System32\sprmover.exe
F:\WINDOWS\System32\smbdins.exe
F:\WINDOWS\System32\sethcd.exe
- Delete the entire contents of your C:\Windows\Prefetch folder.
- Empty your Recycle Bin.
- Reboot normally.
3. Run HJT again and post a new log.
I forget to mention I have also blocked a file called mcafee32.exe - judging by research I've done I think I should delete this too?
New log:
Logfile of HijackThis v1.99.1
Scan saved at 23:19:08, on 26/02/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton Internet Security\NISUM.EXE
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Norton Internet Security\NISSERV.EXE
F:\WINDOWS\Explorer.EXE
F:\Program Files\Norton Internet Security\SymProxySvc.exe
F:\WINDOWS\SYSTEM32\USRmlnkA.exe
F:\PROGRA~1\NORTON~1\navapw32.exe
F:\Program Files\Norton Internet Security\IAMAPP.EXE
F:\WINDOWS\SYSTEM32\USRshutA.exe
F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
F:\WINDOWS\SYSTEM32\USRmlnkA.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\remv3\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btinternet.com/DiallerCheck.htm?dver=3.0?dtype=BTISurfTime?daff=BTI?durl=http://www.btopenworld.com?duser=thealex@btinternet.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [USRpdA] F:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [IMJPMIG8.1] F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] F:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [BTopenworld] "f:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{52900464-9E5C-4E42-A01A-75BEA76A6C29}: NameServer = 69.50.188.180,195.225.176.31
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
-Alex.
I've just read something on my Network Connections, "The properties for this connection have been optimised for you. There are no user definable settings that can be made for this connection other than choice of modem." This could be why I couldn't locate those IP address details earlier...
I forget to mention I have also blocked a file called mcafee32.exe - judging by research I've done I think I should delete this too?
Yes- it's malicious.
Other than that though, the good news is that your log looks clean now.
As for the modem/Internet settings, I'm not sure about that and don't have the time to research it right now. I'll get back to you after I've had a chance to do so.
You need to go to Windows Update and get the Critical Updates for your system, at least SP1.
You need to go to Windows Update and get the Critical Updates for your system, at least SP1.
I bought the updates on CD, so once I get my computer clean...
I've still had the browser redirect, the spyware frame at the bottom of IE and winwiz32.exe.trying to access the internet even though I deleted it...
The about:blank problem has stopped and I can also access the Internet as soon as my computer starts up now.
Should I update to SP2 anyway?
I am logging off now, but if you want you can download silent runners so that we can see if there is anything else running there that hijackthis cannot pick-up? I will have to check back tomorrow to have a look at the results.
Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.
How do I run that? It was associated with Xing player (video/MP3 software) but I've removed that association...
Should I update to SP2 anyway?
No, definitely not yet. Installing SP2 on an infected or otherwise problematic system isnot recommended; you could easily end up with much larger problems than you have now.
You can (and should) make sure you've applied all of the current critical/security updates for your current version of XP, but hold off on the SP2 upgrade until your computer is clean.
How do I run that? It was associated with Xing player (video/MP3 software) but I've removed that association...
SilentRunners is just a VB (Visual Basic) script; if it somehow showed up as associated with Xing, that was a mistake on Windows' part.
The fileshould have a .vbs extension (if it doesn't, rename it so that it does), which would tell Windows that the file is a self-executing script. If the script won't run properly for some reason, try right-clicking on it, choose the "Open With..." option, and see if you have the option to open the file with the Windows Based Script Host. If you do, that program will run the script.
I get the error message "There is no script engine for file extension ".vbs"."
I'll see if I can run it through DOS later today...
It seems like you don't have the Windows Scripting Host installed; you can download the Win XP/2000 version here:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c717d943-7e4b-4622-86eb-95a22b832caa&displaylang=en
"Silent Runners.vbs", revision 31.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "F:\WINDOWS\System32\ctfmon.exe" [MS]
"msnmsgr" = ""F:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"USRpdA" = "F:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA" ["U.S. Robotics Corporation"]
"IMJPMIG8.1" = "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32" [MS]
"PHIME2002ASync" = "F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"NAV Agent" = "F:\PROGRA~1\NORTON~1\navapw32.exe" ["Symantec Corporation"]
"iamapp" = "F:\Program Files\Norton Internet Security\IAMAPP.EXE" ["Symantec Corporation"]
"BTopenworld" = ""f:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial" ["British Telecommunications plc"]
"HPDJ Taskbar Utility" = "F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"TkBellExe" = ""F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"QuickTime Task" = ""F:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SSC_UserPrompt" = "F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"rdspclips.exe" = "rdspclips.exe" [null data]
"sprmover.exe" = "sprmover.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{3A90D030-B644-4899-9C75-CAAB7977E62D}\(Default) = "Name" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\msufe.dll" [null data]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "CNavExtBho Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]
"{eb9ebda0-b3e7-11cf-81c9-0000c0aa665f}" = "FTP Explorer Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "ftpxext.dll" ["FTPx Corp."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
Enabled Scheduled Tasks:
------------------------
"Norton AntiVirus - Scan my computer" -> launches: "F:\PROGRA~1\NORTON~1\NAVW32.exe /task:F:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "F:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Norton AntiVirus Auto Protect Service, navapsvc, "F:\Program Files\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]
Norton Internet Security Accounts Manager, NISUM, "F:\Program Files\Norton Internet Security\NISUM.EXE" ["Symantec Corporation"]
Norton Internet Security Proxy Service, SymProxySvc, "F:\Program Files\Norton Internet Security\SymProxySvc.exe" ["Symantec Corporation"]
Norton Internet Security Service, NISSERV, "F:\Program Files\Norton Internet Security\NISSERV.EXE" ["Symantec Corporation"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
