I have a browser redirect problem and the about:blank page defaulting to one of those annoying "web search" pages. I also have "Your computer might be at risk" balloons that pop-up pretending to be Windows and files called winwiz32.exe and sprmover.exe that keep attempting to access the internet through my firewall.

I've scanned with Lavasoft Adaware SE, Spybot S&D and removed a "Freshbar" toolbar I had (which keeps coming back) with remv3. I have Norton Antivirus and Internet Security with up-to-date definitions. I've read the "Helping yourself" thread and it seems I've done everything I can myself so far...

Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 22:48:50, on 21/02/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton Internet Security\NISUM.EXE
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Norton Internet Security\SymProxySvc.exe
F:\Program Files\Norton Internet Security\NISSERV.EXE
F:\WINDOWS\SYSTEM32\USRmlnkA.exe
F:\WINDOWS\SYSTEM32\USRshutA.exe
F:\WINDOWS\SYSTEM32\USRmlnkA.exe
F:\PROGRA~1\NORTON~1\navapw32.exe
F:\Program Files\Norton Internet Security\IAMAPP.EXE
F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
F:\WINDOWS\System32\sprmover.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\remv3\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btinternet.com/DiallerCheck.htm?dver=3.0?dtype=BTISurfTime?daff=BTI?durl=http://www.btopenworld.com?duser=email@example.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E5D2AE1E-6B15-40B6-95F8-81898FD654D5} - F:\WINDOWS\System32\qwsxp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM..\Run: [USRpdA] F:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM..\Run: [IMJPMIG8.1] F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM..\Run: [iamapp] F:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM..\Run: [BTopenworld] "f:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://69.50.166.214/counter/new/x.chm::/update.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O17 - HKLM\System\CCS\Services\Tcpip..{52900464-9E5C-4E42-A01A-75BEA76A6C29}: NameServer = 69.50.188.180,195.225.176.31
O18 - Filter: text/html - {11A778CB-7F40-48E7-9223-8B8BE3D4C45C} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5ò"DÆR - {A1A8A07C-CE32-4791-BA1C-2EC5D55CB86F} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5òTÆR - {492F22A1-A110-4271-9440-ABDF7A82C581} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5òžEÆR - {F80D4AD0-2F16-4214-B9A6-352A9843D75B} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5ò‰EÆR - {11A778CB-7F40-48E7-9223-8B8BE3D4C45C} - F:\WINDOWS\System32\qwsxp.dll
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I think I need to delete some of the SearchAssistant entries but I'm no expert in whether this will solve the problem...

It seems strange I've put a smiley at the title of a virus thread, well I thank you in anticipation for your help!

Recommended Answers

All 27 Replies

OK- let's start with this:

1. Have HJT fix:

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {E5D2AE1E-6B15-40B6-95F8-81898FD654D5} - F:\WINDOWS\System32\qwsxp.dll
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://69.50.166.214/counter/new/x.chm::/update.exe
O18 - Filter: text/html - {11A778CB-7F40-48E7-9223-8B8BE3D4C45C} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5ò"DÆR - {A1A8A07C-CE32-4791-BA1C-2EC5D55CB86F} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5òTÆR - {492F22A1-A110-4271-9440-ABDF7A82C581} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5òžEÆR - {F80D4AD0-2F16-4214-B9A6-352A9843D75B} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5ò‰EÆR - {11A778CB-7F40-48E7-9223-8B8BE3D4C45C} - F:\WINDOWS\System32\qwsxp.dll


2. Verify that the following IP address is a valid address for your ISP's DNS server. If it isn't, remove it from the DNS server list in your network card's TCP/IP properties:

69.50.188.180


3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- Delete the following file (and let us know if you are you are unable to locate it):
F:\WINDOWS\System32\qwsxp.dll

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.


4. Go to the following two sites and run their free online anti-virus/anti-spyware scans. Let us know the results.

http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://housecall.trendmicro.com/


5. Run HJT again and post a fresh log.

[/b]2. Verify that the following IP address is a valid address for your ISP's DNS server. If it isn't, remove it from the DNS server list in your network card's TCP/IP properties:

69.50.188.180

I've completed step 1 but I'm unable to find the DNS server list. I've followed tutorials and it seems I was looking in the right place, but in my Network Connections there is no Networking tab and nothing that takes me to where I seem to need to be (I've tried every possibility..)...

It has to be there, unless something has gotten seriously fouled up on your computer.

Specific directions for XP (you'll need to be logged in under an account with administrative permissions):

1. Under your Start button menu, go to Settings->Control Panel->Network Connections.

2. Right-click on the entry for your particular network connection/device and choose "Properties".

3. In the "This connection uses the following items" list in the General tab of the Properties window, scroll down to the Internet Protocol (TCP/IP) item and double-click on it.

4. Your basic DNS settings will be displayed in the resulting properties window; click on the "Advanced " button to bring up the "Advanced TCP/IP Settings" and then click on the "DNS" tab to access your full DNS settings.

This is quite frustrating as I've seen the extra tabs in the Network Connections area before (though this may have been on Windows 98 as I only upgraded to XP last year).

The connection is BTOW (BT Openworld). All I have is a General tab that displays a drop-down box with my modem details and Phone Number underneath. The Advanced tab has an Internet Connection Firewall checkbox and a Settings button that is blanked out.

Sorry- I didn't realize that it's a dial-up modem; the Properties are layed out a bit differently for that. Something still seems amiss though- you should have a "Networking" tab in the modem properties; your TCP/IP settings would be under that.

It sounds like you know what you're looking for (and that you are looking in the right place). Not being able to physically site down at your machine, I don't really know what to suggest except to keep poking around. :?:

I've completed everything apart from step 2. The about:blank problem has stopped but I'm still getting the 2 files I mentioned accessing the internet (sprmover.exe and winwiz32.exe - is it safe to delete them?), the Spyware 'help' balloons and a fake "System Guard" pop-up when I block them. Also an extra frame occasionally appears at the bottom of my browser window telling me about Spyware. I'm also still getting the pop-ups I had with links to gambling/'dating' sites etc...

Something I forgot to mention before, when I log onto my computer and click on my BT Yahoo connection it takes a while (around a minute) for the relevant dialogue box to appear (everything is fully loaded, this didn't happen before the virus).

Results of the scans:

Activescan:

Incident                 Status      Location                                                         
Adware:Adware/Megatds         No disinfected                F:\WINDOWS\System32\msufe.dll                                    

Spyware:Spyware/FastSearchWeb No disinfected                Windows Registry   

Housecall:

TROJ SMALL.ZJ Non Cleanable F:\System Volume Information\_restore{DD9BC53B-BF61-47D1-B063-BCBF02FACC60}\RP3\A0000543.EXE
TROJ SMALL.ZJ Non Cleanable F:\System Volume Information\_restore{DD9BC53B-BF61-47D1-B063-BCBF02FACC60}\RP3\A0000548.EXE

Logfile of HijackThis v1.99.1
Scan saved at 15:33:17, on 26/02/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton Internet Security\NISUM.EXE
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Norton Internet Security\NISSERV.EXE
F:\WINDOWS\SYSTEM32\USRmlnkA.exe
F:\WINDOWS\SYSTEM32\USRshutA.exe
F:\WINDOWS\SYSTEM32\USRmlnkA.exe
F:\PROGRA~1\NORTON~1\navapw32.exe
F:\Program Files\Norton Internet Security\IAMAPP.EXE
F:\Program Files\Norton Internet Security\SymProxySvc.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINDOWS\System32\ctfmon.exe
F:\WINDOWS\System32\wuauclt.exe
F:\Program Files\Microsoft Office\Office10\WINWORD.EXE
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
F:\WINDOWS\System32\notepad.exe
F:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
F:\WINDOWS\System32\sprmover.exe
F:\WINDOWS\System32\smbdins.exe
F:\WINDOWS\System32\sethcd.exe
F:\remv3\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [url]http://www.btinternet.com/DiallerCheck.htm?dver=3.0?dtype=BTISurfTime?daff=BTI?durl=http://www.btopenworld.com?duser=<snip>[/url]
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [USRpdA] F:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [IMJPMIG8.1] F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] F:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [BTopenworld] "f:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - [url]http://www.symantec.com/techsupp/asa/LSSupCtl.cab[/url]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab[/url]
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - [url]http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5/asinst.cab[/url]
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - [url]http://www.symantec.com/techsupp/asa/SymAData.cab[/url]
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - [url]http://register.btinternet.com/templates/btwebcontrol023.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{52900464-9E5C-4E42-A01A-75BEA76A6C29}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{DAF9B6CD-E823-4F30-9031-9DC3E52CEC5D}: NameServer = 213.1.119.99 213.1.119.100
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks.

... I'm still getting the 2 files I mentioned accessing the internet (sprmover.exe and winwiz32.exe - is it safe to delete them?

Yes, definitely- we'll get to that in a moment.

1. Housecall found infected files in your System Restore folder; you'll need to turn off the Restore function to flush those out. Instructions are here: http://www.daniweb.com/techtalkforums/thread13362.html.


2. Reboot into Safe Mode again, and:

- Delete the following files:

F:\WINDOWS\System32\winwiz32.exe
F:\WINDOWS\System32\sprmover.exe
F:\WINDOWS\System32\smbdins.exe
F:\WINDOWS\System32\sethcd.exe

- Delete the entire contents of your C:\Windows\Prefetch folder.

- Empty your Recycle Bin.

- Reboot normally.


3. Run HJT again and post a new log.

I forget to mention I have also blocked a file called mcafee32.exe - judging by research I've done I think I should delete this too?

New log:

Logfile of HijackThis v1.99.1
Scan saved at 23:19:08, on 26/02/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton Internet Security\NISUM.EXE
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Norton Internet Security\NISSERV.EXE
F:\WINDOWS\Explorer.EXE
F:\Program Files\Norton Internet Security\SymProxySvc.exe
F:\WINDOWS\SYSTEM32\USRmlnkA.exe
F:\PROGRA~1\NORTON~1\navapw32.exe
F:\Program Files\Norton Internet Security\IAMAPP.EXE
F:\WINDOWS\SYSTEM32\USRshutA.exe
F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
F:\WINDOWS\SYSTEM32\USRmlnkA.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\remv3\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [url]http://www.btinternet.com/DiallerCheck.htm?dver=3.0?dtype=BTISurfTime?daff=BTI?durl=http://www.btopenworld.com?duser=<snip>[/url]
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM..\Run: [USRpdA] F:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM..\Run: [IMJPMIG8.1] F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM..\Run: [iamapp] F:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM..\Run: [BTopenworld] "f:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - [url]http://www.symantec.com/techsupp/asa/LSSupCtl.cab[/url]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab[/url]
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - [url]http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5/asinst.cab[/url]
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - [url]http://www.symantec.com/techsupp/asa/SymAData.cab[/url]
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - [url]http://register.btinternet.com/templates/btwebcontrol023.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip..{52900464-9E5C-4E42-A01A-75BEA76A6C29}: NameServer = 69.50.188.180,195.225.176.31
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - F:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

-Alex.

I've just read something on my Network Connections, "The properties for this connection have been optimised for you. There are no user definable settings that can be made for this connection other than choice of modem." This could be why I couldn't locate those IP address details earlier...

I forget to mention I have also blocked a file called mcafee32.exe - judging by research I've done I think I should delete this too?

Yes- it's malicious.
Other than that though, the good news is that your log looks clean now.

As for the modem/Internet settings, I'm not sure about that and don't have the time to research it right now. I'll get back to you after I've had a chance to do so.

You need to go to Windows Update and get the Critical Updates for your system, at least SP1.

Thanks for the catch Danny- :)

You need to go to Windows Update and get the Critical Updates for your system, at least SP1.

I bought the updates on CD, so once I get my computer clean...

I've still had the browser redirect, the spyware frame at the bottom of IE and winwiz32.exe.trying to access the internet even though I deleted it...

The about:blank problem has stopped and I can also access the Internet as soon as my computer starts up now.

Should I update to SP2 anyway?

I am logging off now, but if you want you can download silent runners so that we can see if there is anything else running there that hijackthis cannot pick-up? I will have to check back tomorrow to have a look at the results.

Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.

How do I run that? It was associated with Xing player (video/MP3 software) but I've removed that association...

Should I update to SP2 anyway?

No, definitely not yet. Installing SP2 on an infected or otherwise problematic system is not recommended; you could easily end up with much larger problems than you have now.

You can (and should) make sure you've applied all of the current critical/security updates for your current version of XP, but hold off on the SP2 upgrade until your computer is clean.

How do I run that? It was associated with Xing player (video/MP3 software) but I've removed that association...

SilentRunners is just a VB (Visual Basic) script; if it somehow showed up as associated with Xing, that was a mistake on Windows' part.

The file should have a .vbs extension (if it doesn't, rename it so that it does), which would tell Windows that the file is a self-executing script. If the script won't run properly for some reason, try right-clicking on it, choose the "Open With..." option, and see if you have the option to open the file with the Windows Based Script Host. If you do, that program will run the script.

I get the error message "There is no script engine for file extension ".vbs"."

I'll see if I can run it through DOS later today...

"Silent Runners.vbs", revision 31.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "F:\WINDOWS\System32\ctfmon.exe" [MS]
"msnmsgr" = ""F:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"USRpdA" = "F:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA" ["U.S. Robotics Corporation"]
"IMJPMIG8.1" = "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32" [MS]
"PHIME2002ASync" = "F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"NAV Agent" = "F:\PROGRA~1\NORTON~1\navapw32.exe" ["Symantec Corporation"]
"iamapp" = "F:\Program Files\Norton Internet Security\IAMAPP.EXE" ["Symantec Corporation"]
"BTopenworld" = ""f:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial" ["British Telecommunications plc"]
"HPDJ Taskbar Utility" = "F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"TkBellExe" = ""F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"QuickTime Task" = ""F:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SSC_UserPrompt" = "F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"rdspclips.exe" = "rdspclips.exe" [null data]
"sprmover.exe" = "sprmover.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{3A90D030-B644-4899-9C75-CAAB7977E62D}\(Default) = "Name" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\msufe.dll" [null data]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "CNavExtBho Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]
"{eb9ebda0-b3e7-11cf-81c9-0000c0aa665f}" = "FTP Explorer Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "ftpxext.dll" ["FTPx Corp."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "F:\PROGRA~1\NORTON~1\NAVW32.exe /task:F:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "F:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Norton AntiVirus Auto Protect Service, navapsvc, "F:\Program Files\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]
Norton Internet Security Accounts Manager, NISUM, "F:\Program Files\Norton Internet Security\NISUM.EXE" ["Symantec Corporation"]
Norton Internet Security Proxy Service, SymProxySvc, "F:\Program Files\Norton Internet Security\SymProxySvc.exe" ["Symantec Corporation"]
Norton Internet Security Service, NISSERV, "F:\Program Files\Norton Internet Security\NISSERV.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Norton has now found a trojan horse called opensdl.exe...it wasn't long after I ran that vbs script (I'm always wary about downloading ANYTHING)...I haven't been on any 'dodgy' sites as far as I know so this is quite annoying...

Norton has managed to quarantine opensdl.exe...

Norton has now found a trojan horse called opensdl.exe

Is that the correct spelling of the infected file? I can't find any info on it...

You need to do a search of your PC for the following files and delete all instances that you find;

rdspclips.exe
sprmover.exe
F:\WINDOWS\System32\msufe.dll

Safe mode would be the go here too. Otherwise they may not delete.

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Please post an hijackthis log after a reboot and also another silent runners log.

I doubt whether those files were downloaded with silent runners, as this tool is recommended on many sites :).

Is that the correct spelling of the infected file? I can't find any info on it...

It is, and neither could I (though if you folks can't find anything about it??), I just checked the name in my Norton report log. It was in my system32 folder.

I'm about to delete those files so I'll report back after.

Logfile of HijackThis v1.99.1
Scan saved at 21:59:57, on 02/03/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
F:WINDOWSSystem32smss.exe
F:WINDOWSsystem32winlogon.exe
F:WINDOWSsystem32services.exe
F:WINDOWSsystem32lsass.exe
F:WINDOWSsystem32svchost.exe
F:WINDOWSSystem32svchost.exe
F:WINDOWSsystem32spoolsv.exe
F:Program FilesNorton AntiVirusnavapsvc.exe
F:Program FilesNorton Internet SecurityNISUM.EXE
F:WINDOWSSystem32svchost.exe
F:Program FilesNorton Internet SecurityNISSERV.EXE
F:Program FilesNorton Internet SecuritySymProxySvc.exe
F:WINDOWSExplorer.EXE
F:WINDOWSSYSTEM32USRmlnkA.exe
F:PROGRA~1NORTON~1navapw32.exe
F:WINDOWSSYSTEM32USRshutA.exe
F:Program FilesNorton Internet SecurityIAMAPP.EXE
F:WINDOWSSYSTEM32USRmlnkA.exe
F:Program FilesCommon FilesRealUpdate_OBrealsched.exe
F:Program FilesCommon FilesSymantec SharedSecurity CenterUsrPrmpt.exe
F:WINDOWSSystem32ctfmon.exe
F:Program FilesMSN Messengermsnmsgr.exe
F:remv3hijackthisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext =  <a href="http://www.btinternet.com/DiallerCheck.htm?dver=3.0?dtype=BTISurfTime?daff=BTI?durl=http://www.btopenworld.com?duser=" rel="nofollow">http://www.btinternet.com/DiallerCheck.htm?dver=3.0?dtype=BTISurfTime?daff=BTI?durl=http://www.btopenworld.com?duser=</a> 
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:Program FilesYahoo!CompanionInstallscpnycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:Program FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll
O2 - BHO: Name - {3A90D030-B644-4899-9C75-CAAB7977E62D} - F:WINDOWSSystem32msufe.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:Program FilesNorton AntiVirusNavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:WINDOWSSystem32msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:Program FilesNorton AntiVirusNavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:Program FilesYahoo!CompanionInstallscpnycomp5_5_7_0.dll
O4 - HKLM..Run: [USRpdA] F:WINDOWSSYSTEM32USRmlnkA.exe RunServices Device3cpipe-USRpdA
O4 - HKLM..Run: [IMJPMIG8.1] F:WINDOWSIMEimjp8_1IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM..Run: [PHIME2002ASync] F:WINDOWSSystem32IMETINTLGNTTINTSETP.EXE /SYNC
O4 - HKLM..Run: [PHIME2002A] F:WINDOWSSystem32IMETINTLGNTTINTSETP.EXE /IMEName
O4 - HKLM..Run: [NAV Agent] F:PROGRA~1NORTON~1navapw32.exe
O4 - HKLM..Run: [iamapp] F:Program FilesNorton Internet SecurityIAMAPP.EXE
O4 - HKLM..Run: [BTopenworld] "f:program filesbt yahoo! internetDialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM..Run: [HPDJ Taskbar Utility] F:WINDOWSSystem32spooldriversw32x863hpztsb04.exe
O4 - HKLM..Run: [TkBellExe] "F:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [QuickTime Task] "F:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [SSC_UserPrompt] F:Program FilesCommon FilesSymantec SharedSecurity CenterUsrPrmpt.exe
O4 - HKLM..Run: [rdspclips.exe] rdspclips.exe
O4 - HKLM..Run: [sprmover.exe] sprmover.exe
O4 - HKCU..Run: [ctfmon.exe] F:WINDOWSSystem32ctfmon.exe
O4 - HKCU..Run: [msnmsgr] "F:Program FilesMSN Messengermsnmsgr.exe" /background
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerControl Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -  <a href="http://www.symantec.com/techsupp/asa/LSSupCtl.cab" rel="nofollow">http://www.symantec.com/techsupp/asa/LSSupCtl.cab</a> 
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -  <a href="http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab" rel="nofollow">http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab</a> 
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -  <a href="http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab" rel="nofollow">http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab</a> 
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -  <a href="http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab" rel="nofollow">http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab</a> 
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -  <a href="http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab" rel="nofollow">http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab</a> 
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -  <a href="http://www.pandasoftware.com/activescan/as5/asinst.cab" rel="nofollow">http://www.pandasoftware.com/activescan/as5/asinst.cab</a> 
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -  <a href="http://www.symantec.com/techsupp/asa/SymAData.cab" rel="nofollow">http://www.symantec.com/techsupp/asa/SymAData.cab</a> 
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) -  <a href="http://register.btinternet.com/templates/btwebcontrol023.cab" rel="nofollow">http://register.btinternet.com/templates/btwebcontrol023.cab</a> 
O17 - HKLMSystemCCSServicesTcpip..{52900464-9E5C-4E42-A01A-75BEA76A6C29}: NameServer = 69.50.188.180,195.225.176.31
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:Program FilesNorton AntiVirusnavapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - F:Program FilesNorton Internet SecurityNISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - F:Program FilesNorton Internet SecurityNISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:PROGRA~1COMMON~1SYMANT~1SCRIPT~1SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:Program FilesCommon FilesSymantec SharedSNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - F:Program FilesNorton Internet SecuritySymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:Program FilesCommon FilesSymantec SharedSecurity CenterSymWSC.exe

"Silent Runners.vbs", revision 31.1,  <a href="http://www.silentrunners.org/" rel="nofollow">http://www.silentrunners.org/</a> 
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun {++}
"ctfmon.exe" = "F:WINDOWSSystem32ctfmon.exe" [MS]
"msnmsgr" = ""F:Program FilesMSN Messengermsnmsgr.exe" /background" [MS]

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun {++}
"USRpdA" = "F:WINDOWSSYSTEM32USRmlnkA.exe RunServices Device3cpipe-USRpdA" ["U.S. Robotics Corporation"]
"IMJPMIG8.1" = "F:WINDOWSIMEimjp8_1IMJPMIG.EXE /Spoil /RemAdvDef /Migration32" [MS]
"PHIME2002ASync" = "F:WINDOWSSystem32IMETINTLGNTTINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "F:WINDOWSSystem32IMETINTLGNTTINTSETP.EXE /IMEName" [MS]
"NAV Agent" = "F:PROGRA~1NORTON~1navapw32.exe" ["Symantec Corporation"]
"iamapp" = "F:Program FilesNorton Internet SecurityIAMAPP.EXE" ["Symantec Corporation"]
"BTopenworld" = ""f:program filesbt yahoo! internetDialBTYahoo.exe" /ReInstallAutoDial" ["British Telecommunications plc"]
"HPDJ Taskbar Utility" = "F:WINDOWSSystem32spooldriversw32x863hpztsb04.exe" ["HP"]
"TkBellExe" = ""F:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot" ["RealNetworks, Inc."]
"QuickTime Task" = ""F:Program FilesQuickTimeqttask.exe" -atboottime" ["Apple Computer, Inc."]
"SSC_UserPrompt" = "F:Program FilesCommon FilesSymantec SharedSecurity CenterUsrPrmpt.exe" ["Symantec Corporation"]
"rdspclips.exe" = "rdspclips.exe" [file not found]
"sprmover.exe" = "sprmover.exe" [file not found]

HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
{02478D38-C3F9-4efb-9B51-7695ECA05670}(Default) = "Yahoo! Companion BHO" [from CLSID]
  -> {CLSID}InProcServer32(Default) = "F:Program FilesYahoo!CompanionInstallscpnycomp5_5_7_0.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = "AcroIEHlprObj Class" [from CLSID]
  -> {CLSID}InProcServer32(Default) = "F:Program FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll" ["Adobe Systems Incorporated"]
{3A90D030-B644-4899-9C75-CAAB7977E62D}(Default) = "Name" [from CLSID]
  -> {CLSID}InProcServer32(Default) = "F:WINDOWSSystem32msufe.dll" [file not found]
{BDF3E430-B101-42AD-A544-FADC6B084872}(Default) = "CNavExtBho Class" [from CLSID]
  -> {CLSID}InProcServer32(Default) = "F:Program FilesNorton AntiVirusNavShExt.dll" ["Symantec Corporation"]

HKLMSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {CLSID}InProcServer32(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {CLSID}InProcServer32(Default) = "F:WINDOWSSystem32hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {CLSID}InProcServer32(Default) = "F:Program FilesRealRealOne Playerrpshellext.dll" ["RealNetworks"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {CLSID}InProcServer32(Default) = "F:Program FilesWinRARrarext.dll" [null data]
"{eb9ebda0-b3e7-11cf-81c9-0000c0aa665f}" = "FTP Explorer Shell Extension"
  -> {CLSID}InProcServer32(Default) = "ftpxext.dll" ["FTPx Corp."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
  -> {CLSID}InProcServer32(Default) = "F:Program FilesMicrosoft OfficeOffice10OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}InProcServer32(Default) = "F:Program FilesMicrosoft OfficeOffice10msohev.dll" [MS]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "F:PROGRA~1NORTON~1NAVW32.exe /task:F:DOCUME~1ALLUSE~1APPLIC~1SymantecNORTON~1Tasksmycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "F:Program FilesSymantecLiveUpdateNDETECT.EXE" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Norton AntiVirus Auto Protect Service, navapsvc, "F:Program FilesNorton AntiVirusnavapsvc.exe" ["Symantec Corporation"]
Norton Internet Security Accounts Manager, NISUM, "F:Program FilesNorton Internet SecurityNISUM.EXE" ["Symantec Corporation"]
Norton Internet Security Proxy Service, SymProxySvc, "F:Program FilesNorton Internet SecuritySymProxySvc.exe" ["Symantec Corporation"]
Norton Internet Security Service, NISSERV, "F:Program FilesNorton Internet SecurityNISSERV.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLMSystemCurrentControlSetServicesWinsock2ParametersNameSpace_Catalog5Catalog_Entries {++}
000000000001LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]
000000000002LibraryPath = "%SystemRoot%System32winrnr.dll" [MS]
000000000003LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]

Transport Service Providers

HKLMSystemCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries {++}
0000000000##PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%system32mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%system32rsvpsp.dll [MS], 04 - 05


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------


I had already deleted sprmover.exe in Safe Mode, the file creation date of this new file was 02 March 05.

Looks good :). Just some orphaned entries now to remove.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

O2 - BHO: Name - {3A90D030-B644-4899-9C75-CAAB7977E62D} - F:\WINDOWS\System32\msufe.dll (file missing)

O4 - HKLM\..\Run: [rdspclips.exe] rdspclips.exe
O4 - HKLM\..\Run: [sprmover.exe] sprmover.exe

Check the 017 entry and ensure the IP's belong to your ISP. If not, fix that line too.
Apart from that, you are good to go.
You definitely need to get service pack 1 for both XP and IE6 or you'll be back with more goodies.

I was unable to find out where the IP addresses are from in a previous check, so I made backups of them and fixed them on Hijack This. My Internet connection seems to be working fine still, so should it be okay that I've deleted those lines even if they belong to my ISP? There was only one of the IP lines there the first time I scanned with HT so it seems the other one at least has appeared since.

I have the SP2 CD somewhere so I'll update.

Thanks for you help, and I hope this is the end of it!

If you are still able to get online, that's good :). Hopefully that is it. Could not see any more.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.