Topic: Unwanted internet connect at start up

[chew]

Hello,
It's me again.
The internet connect window with a 'P' in the blue bit has returned. It appears every time at start up and pops up every few minutes when I'm offline.
I have gone into safe mode, turned off system restore, run adaware and spybot, restarted my pc, turned system restore back on but its still happenin'.
(I've updated adaware and spybot too)  
chew

[Simon]

Something is obviously still trying to connect, Chew.   Try the following:

1. Have a look in your startup folder (C:\Documents and Settings\[yourname]\Start Menu\Programs\Startup - or right click and open Start button, then find Startup folder) and see if there's anything in there which obviously shouldn't be there.  If you find anything obvious, move it elsewhere for now, then reboot and see what happens.  If you find something dodgy, it may well reappear when you reboot, as it may have installed itself in the registry, so....

2. Download and run Hijack This.  Copy the log to Notepad and post it here.  Someone may be able to spot the baddie.

3. If you feel slightly more adventurous, Click Start > Run, then type MSCONFIG.  Hit OK, and look under the Startup tab.  If you can see what might be causing the trouble, untick the box to disable it, then reboot.  If the problem is cured, you can go back to MSCONFIG, note the registry address of the rogue item, and remove it from the registry.  We have to advise extreme caution when working in the registry, as any slip ups can have disasterous effects.  Always back up your registry before tampering, and if you don't know what that means, leave it alone!

[chew]

There was nothing in the startup folder at all apart from 'desktop.ini, configuration settings' icon.

I ran msconfig and the only thing that I didn't recognise was 'wininet.exe' and 'wintsu.exe'

I already have hijackthis installed, log below.

Logfile of HijackThis v1.97.7
Scan saved at 23:54:53, on 27/03/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System\wininet.exe
C:\WINDOWS\System32\wintsu.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
C:\Documents and Settings\David\Local Settings\Temp\Temporary Directory 55 for hijackthis.zip\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\wininet.exe
O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintsu.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FBFE5E95-0EB9-44E5-A224-0F0059308042}: NameServer = 213.120.62.98 213.120.62.99

[Simon]

I ran msconfig and the only thing that I didn't recognise was 'wininet.exe' and 'wintsu.exe'

I think at least one of those will be the cause of your problem.  According to Trend Micro, WININET.EXE is a Trojan, and needs to be removed.

The TROJ_WORTRON.10B Trojan generates Worm samples that it can easily modify. This worm uses Simple Mail Transfer Protocol (SMTP) commands in sending emails to recipients listed in the infected user's Windows Address Book. The email format depends on how the Trojan designs it. The subject field, message body, and attachment arrive in different text strings. The email format of every worm is different for every worm.

This worm may or may not execute the following:

    * Search HTML files for email addresses and send copies of itself.
    * Steals passwords that are sent to a certain email address. It may send a file containing key logs every system startup or once a day.
    * Terminate installed firewall products such as, "OUTPOST.EXE" and "ZONEALARM.EXE."
    * Displays a messagebox on the first execution of the worm on the infected system.

Upon execution, this worm installs itself on the system. It drops a WININET.EXE file in the Windows System directory. It then modifies the system registry so that WININET.EXE executes upon execution of an application file in the Windows environment. To do this, it modifies the data from ""%1" %*" into "%sysdir%\wininet.exe "%1" %*" in the default value of the following in the registry:

HKEY_CLASSES_ROOT\exefile\shell\open\command

HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\
shell\open\command
Thereafter, when the password stealing option is enabled, it creates an EXELIB.DLL file in the System directory, where possible passwords are contained. It sends EXELIB.DLL to a certain email address every system startup or once a day. The certain email address is pre-set when the worm was generated.

It then displays a message box, which the Trojan generates for the worm. This message box is also optional from the generation of the worm.

Haven't been able to find out too much about the other thing, but that looks iffy too.

I can't remember if you've done this, but if you can boot into Safe Mode (I think you were having problems with that, but then you said you had managed it), also temporarily disabling System Restore, and run Ad Aware and / or Spybot, they will hopefully get rid of it / them for you.

Can one of the techies please confirm this?

[chew]

Thanks Simon,

I had already tried that.
However, I just ran Hijackthis and deleted those two things, rebooted and it seems to have worked. I ran it again to see if they had returned - they hadn't.
I'll re-post if they return.

Thanks.

Chew