Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Winfix Blackworm problem [RESOLVED]


  • This topic is locked This topic is locked

#16
thespia

thespia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi Phil-

I started to ride off into the sunset but before I could get away......

I ran a scan of Microsoft Defender (the new Microsoft Antispyware) per your suggestion and discovered something rather troubling:

Category:
Possible Hosts File Hijack

Spyware

Description:
This program has potentially unwanted behavior.

Advice:
Remove this software immediately.

Resources:
file:
C:\WINDOWS\system32\drivers\etc\hosts

View more information about this item online.





SearchCentrix

Category:
Browser Modifier

Description:
This program has potentially unwanted behavior.

Advice:
Remove this software immediately.

Resources:
regkey:
HKCU@S-1-5-21-2473937354-413888376-4199112212-500\Software\Dynamic Toolbar

regkey:
HKCU@S-1-5-21-2473937354-413888376-4199112212-1003\Software\Dynamic Toolbar



Defender confirms the results of Spysweeper which say my hosts file has been hijacked-yikes. I have not hit removal on either of these-wanted to see what you thought. I know I can't delete the hosts file and I already replaced it with Hoster so it must be getting infiltrated. I wonder if that is what WinSpy does and there are vestiges of that on my system perhaps? Hoping you can shed some light on this when you get a chance.

thanks,
thespia
  • 0

Advertisements


#17
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

Would you please be kind enough to run HJT and produce a different log?
  • Open HijackThis.
  • Click on "Open Misc Tools Section"
  • Open Uninstall Manager
  • Save List
It will produce a NotePad Page, called Uninstall.txt. Please copy the entire contents of that page and paste it here.
  • 0

#18
thespia

thespia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Certainly. Here is the log:

Ad-Aware SE Personal
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Photoshop Album Starter Edition
Adobe Reader 6.0
Agere Systems PCI Soft Modem
America Online (Choose which version to remove)
AOL (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
AVG Free Edition
Blackhawk Striker from Compaq (remove only)
Blasterball 2 from Compaq (remove only)
Blaze Audio RipEditBurn 2 Trial
Bounce Symphony from Compaq (remove only)
CCleaner (remove only)
Compaq Connections
Compaq Instant Support
Compaq Organize
Creative DVD Audio Plugin for Audigy Series
CutePDF Writer 2.5
dBpowerAMP
dBpowerAMP FLAC Codec
dBpowerAMP Music Converter
Delivery Manager
Delta Force Land Warrior
Easy Internet Sign-up
ewido anti-malware
Excavation from Compaq (remove only)
exPressit S.E. 2.1
F13 ScreenSaver-Deathtops Backgrounds
Final Draft 6 Viewer
Five Card Frenzy from Compaq (remove only)
Google Gmail Notifier
HijackThis 1.99.1
HP Deskjet Preloaded Printer Drivers
HP Image Zone 3.5
HP Photo & Imaging 3.5 - HP Devices
HP PSC & OfficeJet 3.0
HP Software Update
Image Expert
IntelliMover Data Transfer Demo
InterActual Player
InterVideo WinDVD 6
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
iPod Access for Windows v1.0
iPod Update 2004-04-28
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
KBD
Learn2 Player (Uninstall Only)
Lexmark X83
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Shockwave Player
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office 2000 Premium
Microsoft Office Standard Edition 2003
Microsoft Picture It! Express 7.0
Microsoft Plus! Digital Media Edition
Microsoft Works 7.0
Movie Magic Contracts 2.0
Mozilla Firefox (1.0.7)
Multimedia Card Reader
MUSICMATCH® Jukebox
MWSnap 3
Norton Internet Security
Norton SystemWorks 2002
Norton WMI Update
NVIDIA GART Driver
Orbital from Compaq (remove only)
Otto from Compaq (remove only)
Overball from Compaq (remove only)
PC-Doctor for Windows
Photosmart 140,240,7200,7600,7700,7900 Series
Plaxo
Polar Bowler from Compaq (remove only)
PowerQuest Drive Image 7.0
PrimoPDF
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2004
QuickTime
RealPlayer
RecordNow!
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Slyder from Compaq (remove only)
Sonic Update Manager
SpamSubtract
Spy Sweeper
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
Viewpoint Manager (Remove Only)
Viewpoint Media Player
VuePrint
Winamp (remove only)
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip
Yahoo! Companion
Zone Deluxe Games

thank you-

thespia
  • 0

#19
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

Your uninstall list looks OK with the exception of Viewpoint; considered foistware as it is normally installed via stealth. It is spyware as it "phones home" but not malicious. I recommend uninstalling both entries.

Looking towards your Host problem, it would appear to be virus activity, which doesn't make sense with the amount of protection you have, so something is reversing the deletion. As you know, antispyware programmes do this as it is their job. So firstly, disable Windows Defender, SpySweeper and Ewido Guard from operating during the fix.

Please download Agobot Cleaner to your desktop.
  • open AGOBOT CLEANER
  • Accept Terms and Conditions of Use
  • then click GO.
  • The scanner will start and when finished it saves a log C:\Resolve.log
That should clear the problem, but please run HOSTER to reset the list.
  • 0

#20
thespia

thespia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hello,

The Agobot was negative. Here are the results:

RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com

 

System disinfection for W32/Agobot

 

Data Version 1.19

 

System scan started at 07:11 on 21 March 2006

 

Checking for W32/Agobot in memory

 

Checking services

 

Checking for W32/Agobot in memory

 

Checking for registry keys affected by W32/Agobot

 


Checking for files affected by W32/Agobot

 

Scanning C:

 


Scanning D:

 


Scanning C:\WINDOWS\system32\drivers\etc

 


System scan finished at 07:14 on 21 March 2006

 

 Processes found                     : 0
 Processes terminated or disinfected : 0
 Services found                      : 0
 Services removed                    : 0
 Registry keys affected              : 0
 Registry keys changed               : 0
 Files found                         : 0
 Files deleted                       : 0


I reset the Hosts file. Then I reactivated Spysweeper and it once again showed a possible browser hijack on local hosts. I then completely shutdown Spysweeper and opened Defender and did another scan. I have been very careful to only have one anti-spyware and one antivirus turned on since you explained this to me.

Once again it came up Possible Hosts File Hijack and Search Centrix. Should I remove these? I am afraid to remove the Hosts file.

Since this all happened I have been thinking about what is different now. When we fixed the computer one thing I didn't notice until today was something that I always used to notice. Norton Security would always let me know svchost.exe was accessing the internet when I connected to AOL. In fact I would get two alerts on this. When we cleaned up the malware this went away but this morning it has started again with one alert that svchost.exe was accessing the internet as I signed on to AOL. I am wondering if win-spy was not completely removed and has rebuilt itself. I googled it and know that svchost is one of the files it can hijack and that file should not be accessing the net- http://www.neuber.co...vchost.exe.html. Perhaps this is the malware we are dealing with? somehow this gets activated when I go on the internet.

http://www.bleepingc...s.exe-6805.html

Please let me know if I am just being over cautious, since I was concerned when win-spy was found by Spysweeper and want to make sure it is all gone.

thank you,

thespia
  • 0

#21
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

Thanks for the info.

You might want to try this; I have just tried it out to see if it works and it does.

Find this file and send it to the recycle bin by deleting it.

C:\WINDOWS\system32\drivers\etc\hosts

Now run Hoster. It will tell you "HOSTS file does not exist - click OK to create HOSTS file" click OK > close programme.

You now have a new HOSTS file.

Have a look at this thread: http://www.webuser.c...185/an/0/page/0

I would suggest quarantining Search Centrix.

I used to run Microsoft Antispyware and got rid of it after it didn't find malware that Ewido did, but it found one item that was legitimate.
  • 0

#22
thespia

thespia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks for the article. It probably was a false positive. It's quarantined at any rate.

I successfully deleted the hosts file, there were two in that location, hosts and lmhosts. Restored my hosts file with Hoster.

Everything seems to be working fine, except for the positive on a hijacked hosts file on Spysweeper and Defender though they may be false positives.

If you know of any sure way for me to check if all of win-spy has been removed please let me know.

Other than that I now am riding off into the sunset. Thank you again for all your help and expertise.

thespia
  • 0

#23
thespia

thespia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Oh no. Spoke to soon. I am hoping that this is a result of our fix. I opened Internet Explorer and it went to this page instead of my start page which is google:

http://www.microsoft.....w.google.com/


Quick Links | Home | Worldwide


Search Microsoft.com for:




Security HomeSecurity UpdatesPartners
Information For
Home UsersIT Professionals (TechNet)Developers (MSDN)Small BusinessesWorldwide Security SitesTrustworthy Computing
Malicious Software Removal Tool Has Changed Your Home Page
Find Out How to Restore Your Internet Explorer Home and Search Page Preferences
Published: March 10, 2005

The Microsoft Windows Malicious Software Removal Tool has detected and removed malicious software from your computer. The software that had infected your computer may have modified your browser's home page and search page without your knowledge and prevented you from restoring your preferences. To help protect your computer from infection by a potentially malicious Web page, the Malicious Software Removal Tool has changed your home page and search page to this page.

This page includes information on restoring your page preferences, as well as further guidance to help avoid infection in the future.

On This Page
Restore Your Preferred Browser Home Page
Restore Your Preferred Web Search Page
Use Up-to-Date Antivirus Software


Restore Your Preferred Browser Home Page
To change your Internet Explorer home page

1.
In Internet Explorer, navigate to the Web page that you want to make your home page.

2.
On the Tools menu, click Options.

3.
On the General tab, under Home Page, click the Use Current button to make the Web page your home page.

4.
Click the OK button to close the Internet Options dialog box.


Top of page
Restore Your Preferred Web Search Page
Restoring your search page page preference requires editing the registry, a task that should be undertaken by advanced users only. For information on changing your search page, see Microsoft Knowledge Base Article 895339.

Top of page
Use Up-to-Date Antivirus Software
Because malicious software has been found on your computer, you should thoroughly scan your computer with up-to-date antivirus software. If you already have antivirus software installed, be sure to set your software to update itself automatically so that it stays current with latest updates to protect against new Internet threats. If you do not have antivirus software, we recommend that you install some as soon as possible. For more antivirus software information, including links to Microsoft Virus Alliance partner Web sites, see our Protect Your PC guidance.

Technical Assistance
Contact your antivirus vendor for assistance with identifying or removing virus or worm infections. If you need more help with virus-related issues, contact Microsoft Product Support Services.

• For support within the United States and Canada, call toll-free (866) PCSAFETY (727-2338).

• For worldwide support, contact your local Microsoft office.


Top of page

Printer-Friendly Version Send This Page Add to Favorites

Manage Your Profile |Contact Us
© 2006 Microsoft Corporation. All rights reserved. Terms of Use |Trademarks |Privacy Statement


:tazz: Let me know what this means please when you have the time.

thanks,

thespia
  • 0

#24
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hmmmmm! Where have I seen that before?

We will have to use MS Anti-Spyware to get rid of it, because that's what keeps putting that entry back
  • Open Microsoft Antispyware.
  • In the right upper corner go to Advanced tools
  • Please click on "Change restore setting to a new URL".
  • Change it to something you would like to use as your homepage.
  • If prompted for the change, allow it.
  • When the left hand side is showing a 'good' restore, press "Restore This Setting Now".
  • We need to get a non-infected page there.
Please substitute Windows Defender for MS Antispyware

Also, can you upload that winsys.exe file to Jotti for a scan? here's how:

You need to do a search for it first of all with all files showing, none hidden.

Please set your system to show all files; please see here if you're unsure how to do this.

Search for: winsys.exe please note the path.

Please visit Jotti.org for a file scan. At the top of the page find File to upload and scan click Browse, navigate to the file path you just found.

……… and then click Submit and wait while Jotti scans the file. Please note the findings where it says Status a few lines down from the top, and let me know in your reply.
  • 0

#25
thespia

thespia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I never installed MS Antispyware and it is not on my system. I do have Defender installed. Defender is not running though, only Spysweeper and AVG are along with a Norton firewall.


The file that was discovered by Spysweeper and identified as Win-Spy they listed as:

C:\windows\dll

It was in quarantine by Spysweeper but when we thought everything was fine I deleted it per your instruction. I did look for a winsys.exe file but could not find one.

thespia
  • 0

Advertisements


#26
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
I think you have misunderstood me. I know you don't have MS Anti-Spyware, you have Windows Defender which is the former with a different name. Hence I said to substitute. Never mind, I'll do it instead.

We will have to use Windows Defender to get rid of it, because that's what keeps putting that entry back
  • Open Windows Defender.
  • In the right upper corner go to Advanced tools
  • Please click on "Change restore setting to a new URL".
  • Change it to something you would like to use as your homepage.
  • If prompted for the change, allow it.
  • When the left hand side is showing a 'good' restore, press "Restore This Setting Now".
  • We need to get a non-infected page there.

  • 0

#27
thespia

thespia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I'm sorry. I misunderstand what you meant earlier.

I got confused because the version of Defender that I have, Windows Defender Beta 2, does not have the option of advanced tools anywhere, nor the ability to do what you asked. It has Tools, but the options are only General Settings, Quarantined Items, Allowed Items, Software Explorer, and links to their web sites.

I went to IE's options and reset the URL that way. So far the homepage has stayed on google since I have done this.

thespia
  • 0

#28
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
My apologies, I haven't looked at the Beta2 version of Defender.

Sounds like all is OK now.

I will leave this thread open for a few days in case of misfortune.
  • 0

#29
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP