Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help needed


  • Please log in to reply
53 replies to this topic

#1 fedebrown

fedebrown

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 15 February 2005 - 01:33 PM

i am italian and i can't understand english perfectly
so i will try to explain my problem as well as i can
my internet explorer page is always about:blank but i had another homepage and i can't turn the page into my old one, so i think i have an hijacker which spybot that i already use can't find.
please can someone help me? thank you so much




Logfile of HijackThis v1.99.0
Scan saved at 19.27.08, on 15/02/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMMI\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
C:\WINDOWS\SYSTEM\E_S5I0E1.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAMMI\ALICE\ALICE ENTERNET\APP\ENTERNET.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAMMI\OUTLOOK EXPRESS\MSIMN.EXE
C:\PROGRAMMI\MESSENGER\MSMSGS.EXE
C:\WINDOWS\DESKTOP\CARTELLA APPLICAZIONI\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gw.aliceadsl.it/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Alice
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {E17DC7BD-5BC4-4D0F-BB57-50B6655617EF} - C:\WINDOWS\SYSTEM\NCOD.DLL
O2 - BHO: (no name) - {F2A4407B-FFBC-4A1F-A18A-0F68C3E0FC9E} - C:\WINDOWS\SYSTEM\TEXIFOR.DLL
O2 - BHO: (no name) - {9E10B5DE-D99A-AA4D-9C11-E326F6CC6EF6} - C:\WINDOWS\SYSTEM\DOSIHIB.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programmi\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\SYSTEM\E_S5I0E1.EXE /P26 "EPSON Stylus CX6600 Series" /O5 "LPT1:" /M "Stylus CX6600"
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [MSUpdSrv] msupdsrv.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [avast!] C:\Programmi\Alwil Software\Avast4\ashServ.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Alice - {325C7060-4EE0-11D9-A633-D04A250AC352} - http://gw.aliceadsl.it/alice (file missing) (HKCU)
O12 - Plugin for .it/Didattica1/pagine-web/facolt--di/Armando-Da/corso-di-p/G---A: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://gw.aliceadsl.it/home
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O18 - Filter: text/html - {1231845F-0C7C-4DF9-83B0-A712424A301C} - C:\WINDOWS\SYSTEM\NCOD.DLL
O18 - Filter: text/plain - {1231845F-0C7C-4DF9-83B0-A712424A301C} - C:\WINDOWS\SYSTEM\NCOD.DLL

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:42 AM

Posted 15 February 2005 - 11:29 PM

Hello fedebrown,

You have a CWS infection. Let get rid of it. :thumbsup:

Download: "StartDreck", from here:
http://members.blackbox.net/hp_links/21/ni.../startdreck.zip

Unzip to its own folder and start the program,

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes

Press 'Ok'

Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Post the log to this thread.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 fedebrown

fedebrown
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 17 February 2005 - 03:34 PM

thank you very much! i'll try this solution and i 'll add a new post with the result... i hope it will be ok!

#4 fedebrown

fedebrown
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 17 February 2005 - 03:56 PM

ok here is the new log:

StartDreck (build 2.1.7 public stable) - 2005-02-17 @ 21.54.51 (GMT +01:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as *********+ at X2G2I7

舞egistry
舞un Keys
翟urrent User
舞un
舞unOnce
聞efault User
舞un
舞unOnce
腿ocal Machine
舞un
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LWBMOUSE=C:\Programmi\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
*EPSON Stylus CX6600 Series=C:\WINDOWS\SYSTEM\E_S5I0E1.EXE /P26 "EPSON Stylus CX6600 Series" /O5 "LPT1:" /M "Stylus CX6600"
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*ashMaiSv=C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
*MSUpdSrv=msupdsrv.exe
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
舞unOnce
舞unServices
*Machine Debug Manager=C:\WINDOWS\SYSTEM\MDM.EXE
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*avast!=C:\Programmi\Alwil Software\Avast4\ashServ.exe
舞unServicesOnce
**ig=rundll32 C:\WINDOWS\HLPSTEY1.GIF,DllGetClassObject
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
+FFCF01F7=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF4717=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFE71B=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFFED27=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE2983=C:\WINDOWS\SYSTEM\MDM.EXE
+FFFE3D6B=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFE0D53=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEB0A3=C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
+FFFEFD1F=C:\WINDOWS\RUNDLL32.EXE
+FFFE7307=C:\WINDOWS\EXPLORER.EXE
+FFFB6173=C:\WINDOWS\TASKMON.EXE
+FFFB66D7=C:\WINDOWS\SYSTEM\RPCSS.EXE
+FFFCC2A7=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFB280B=C:\PROGRAMMI\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
+FFFB4DB3=C:\WINDOWS\SYSTEM\E_S5I0E1.EXE
+FFFC9ADF=C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
+FFFBFE1F=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFA2097=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFAB767=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF8A55B=C:\PROGRAMMI\ALICE\ALICE ENTERNET\APP\ENTERNET.EXE
+FFF83B23=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFF67F33=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF6E9B3=C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
+FFF40DF3=C:\WINDOWS\DESKTOP\CARTELLA APPLICAZIONI\STARTDRECK.EXE
翠pplication specific

i hope you'll aswer soon! thank you

#5 fedebrown

fedebrown
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 17 February 2005 - 05:05 PM

ok i think there is some parts missing in my last log... so here is the new one



StartDreck (build 2.1.7 public stable) - 2005-02-17 @ 23.04.53 (GMT +01:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as *********+ at X2G2I7

舞egistry
舞un Keys
翟urrent User
舞un
舞unOnce
聞efault User
舞un
舞unOnce
腿ocal Machine
舞un
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LWBMOUSE=C:\Programmi\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
*EPSON Stylus CX6600 Series=C:\WINDOWS\SYSTEM\E_S5I0E1.EXE /P26 "EPSON Stylus CX6600 Series" /O5 "LPT1:" /M "Stylus CX6600"
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*ashMaiSv=C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
*MSUpdSrv=msupdsrv.exe
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
舞unOnce
舞unServices
*Machine Debug Manager=C:\WINDOWS\SYSTEM\MDM.EXE
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*avast!=C:\Programmi\Alwil Software\Avast4\ashServ.exe
舞unServicesOnce
**ig=rundll32 C:\WINDOWS\HLPSTEY1.GIF,DllGetClassObject
舞unOnceEx
舞unServicesOnceEx
肇ile Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\PROGRAMMI\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
翡rowser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
*{9E10B5DE-D99A-AA4D-9C11-E326F6CC6EF6}
`InprocServer32=C:\WINDOWS\SYSTEM\DOSIHIB.DLL
*{BC295A8D-1054-ADD2-7921-4933BA265D3F}
`InprocServer32=C:\WINDOWS\SYSTEM\HOMIEOMI.DLL
*{3737A0ED-34B8-4820-B091-0E1F2DA60C35}
`InprocServer32=C:\WINDOWS\SYSTEM\NCOD.DLL
肇iles
翠utostart Folders
翟urrent User
聞efault User
腿ocal Machine
膏NI-Files
蓄IN.INI\[windows]
*LOAD=
*RUN=
艋YSTEM.INI\[boot]
*SHELL=Explorer.exe
蓉ext Files
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\wininit.bak
*C:\WINDOWS\winstart.bat
*C:\WINDOWS\command\cmdinit.bat
艋ystem/Drivers
舞unning Processes
+FFCF01F7=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF4717=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFE71B=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFFED27=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE2983=C:\WINDOWS\SYSTEM\MDM.EXE
+FFFE3D6B=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFE0D53=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEB0A3=C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
+FFFEFD1F=C:\WINDOWS\RUNDLL32.EXE
+FFFE7307=C:\WINDOWS\EXPLORER.EXE
+FFFB6173=C:\WINDOWS\TASKMON.EXE
+FFFB66D7=C:\WINDOWS\SYSTEM\RPCSS.EXE
+FFFCC2A7=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFB280B=C:\PROGRAMMI\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
+FFFB4DB3=C:\WINDOWS\SYSTEM\E_S5I0E1.EXE
+FFFC9ADF=C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
+FFFBFE1F=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFA2097=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFAB767=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF67F33=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF51CD3=C:\PROGRAMMI\ALICE\ALICE ENTERNET\APP\ENTERNETFOLDER.EXE
+FFF45B43=C:\PROGRAMMI\ALICE\ALICE ENTERNET\APP\ENTERNET.EXE
+FFF4073F=C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
+FFF35FEF=C:\WINDOWS\DESKTOP\CARTELLA APPLICAZIONI\STARTDRECK.EXE
臧T Services
翠pplication specific

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:42 AM

Posted 17 February 2005 - 05:48 PM

Hello fedebrown,

Download CWShredder Version 2.13(the stand-alone version) from the following site: http://www.intermute.com/spysubtract/cwshr...r_download.html

After you download the program, unzip it into a directory.
Make sure all browser windows are closed and double click on the cwshredder.exe to start the program.

When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it.

You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.

Reboot and submit a new Hijackthis log.

Edited by SifuMike, 17 February 2005 - 05:50 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 fedebrown

fedebrown
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 18 February 2005 - 08:51 AM

hello Sifumike, and thank you for your help
here is the latest hijackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 14.49.39, on 18/02/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMMI\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
C:\WINDOWS\SYSTEM\E_S5I0E1.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMMI\ALICE\ALICE ENTERNET\APP\ENTERNET.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\CARTELLA APPLICAZIONI\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gw.aliceadsl.it/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gw.aliceadsl.it/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Alice
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {9E10B5DE-D99A-AA4D-9C11-E326F6CC6EF6} - C:\WINDOWS\SYSTEM\DOSIHIB.DLL
O2 - BHO: (no name) - {BC295A8D-1054-ADD2-7921-4933BA265D3F} - C:\WINDOWS\SYSTEM\HOMIEOMI.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programmi\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\SYSTEM\E_S5I0E1.EXE /P26 "EPSON Stylus CX6600 Series" /O5 "LPT1:" /M "Stylus CX6600"
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [MSUpdSrv] msupdsrv.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [avast!] C:\Programmi\Alwil Software\Avast4\ashServ.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Alice - {325C7060-4EE0-11D9-A633-D04A250AC352} - http://gw.aliceadsl.it/alice (file missing) (HKCU)
O12 - Plugin for .it/Didattica1/pagine-web/facolt--di/Armando-Da/corso-di-p/G---A: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://gw.aliceadsl.it/home
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:42 AM

Posted 18 February 2005 - 12:33 PM

Hello fedebrown,

I see not any changes in your log.
I think the reason is that I forgot to tell you to run CWShredder in the Safe Mode.

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


Please run CWShredder in the Safe Mode

***************************************************

Please download, update and run
Adaware SE in the Safe Mode (see instructions below on how to set it up to do a full scan)

***************************************************

If you need help running this tool, here is a helpful tutorial.
Adaware SE Tutorial

***************************************************

Be sure to run Adaware SE with a Full Scan in the Safe Mode.

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


The following explains how to set Ad-aware's settings to perform a "Full Scan."

In Ad-aware click the Gear to go to the Settings area.

The following items should be on a green check, not on a red X.

Under the Scanning button:
Scan within archives
Under Memory & Registry, Check EVERYTHING
In Check Drives & Folders, make sure all of your hard drives are selected

Under the Advanced button, check ALL under Log detail level.

Under the Tweak button...

Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

In Scanning Engine:
Unload recognized processes during scanning
Include info about ignored objects in logfile, if detected in scan
Include basic Ad-aware settings in logfile
Include additional Ad-aware settings in logfile
Include used command line parameters in logfile

In Cleaning Engine:
XP/2000: Allow unloading explorer to unload shell extensions prior to deletion
Let Windows remove files in use at next reboot
UNCHECK: Automatically try to unregister objects prior to deletion

Click Proceed to save these settings. When you would like to perform a "Full Scan," switch the scan mode from SmartScan to Custom.



Fix whatever it suggests.

***************************************************


Reboot and submit a new Hijackthis log.

Edited by SifuMike, 18 February 2005 - 12:55 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 fedebrown

fedebrown
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 18 February 2005 - 08:16 PM

hello sifumike
believe me... i am very angry because although i did all the things you told me to do, now i have another IE page that is not mine... and a lot of pages inside my favourite sites folder... and now i have also a lot of internet explorer icons all over the icons in my desktop... i can't understand what's happening... while i was running adaware a lot of internet explorer pages named ewizard.cc appeared and confused me.... there were like 30 or 40...
please help me again if you can...
here is the latest log

Logfile of HijackThis v1.99.0
Scan saved at 2.16.16, on 19/02/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMMI\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
C:\WINDOWS\SYSTEM\E_S5I0E1.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMMI\ALICE\ALICE ENTERNET\APP\ENTERNETFOLDER.EXE
C:\PROGRAMMI\ALICE\ALICE ENTERNET\APP\ENTERNET.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\CARTELLA APPLICAZIONI\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pornbook.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gw.aliceadsl.it/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Alice
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {9E10B5DE-D99A-AA4D-9C11-E326F6CC6EF6} - C:\WINDOWS\SYSTEM\DOSIHIB.DLL
O2 - BHO: (no name) - {BC295A8D-1054-ADD2-7921-4933BA265D3F} - C:\WINDOWS\SYSTEM\HOMIEOMI.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programmi\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\SYSTEM\E_S5I0E1.EXE /P26 "EPSON Stylus CX6600 Series" /O5 "LPT1:" /M "Stylus CX6600"
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [MSUpdSrv] msupdsrv.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [avast!] C:\Programmi\Alwil Software\Avast4\ashServ.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Alice - {325C7060-4EE0-11D9-A633-D04A250AC352} - http://gw.aliceadsl.it/alice (file missing) (HKCU)
O12 - Plugin for .it/Didattica1/pagine-web/facolt--di/Armando-Da/corso-di-p/G---A: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://gw.aliceadsl.it/home
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:42 AM

Posted 18 February 2005 - 10:03 PM

Hello fedebrown,

We are making progresss, so do not get discouraged. Part of the CWS infection is gone. :thumbsup: But you picked up another infection since we began.
We will get rid of them. :flowers:
****************************************************
Do you know what this program? Did you install it?
C:\WINDOWS\SYSTEM\E_S5I0E1.EXE

****************************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pornbook.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {9E10B5DE-D99A-AA4D-9C11-E326F6CC6EF6} - C:\WINDOWS\SYSTEM\DOSIHIB.DLL
O2 - BHO: (no name) - {BC295A8D-1054-ADD2-7921-4933BA265D3F} - C:\WINDOWS\SYSTEM\HOMIEOMI.DLL
O4 - HKLM\..\Run: [MSUpdSrv] msupdsrv.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall


Fix these O6 entries if you did NOT activate the 'Lock homepage from changes' option in some kind of anti-spyware tool.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe

****************************************************
Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Delete the following files/folders in bold:

C:\WINDOWS\SYSTEM\DOSIHIB.DLL <== file
C:\WINDOWS\SYSTEM\HOMIEOMI.DLL <== file
C:\WINDOWS\TEMP\SE.DLL <== file
C:\Recycled\Q330995.exe <== file
msupdsrv.exe <== file You will have to search for this file. It may be in C:\WINDOWS\SYSTEM\ or C:\WINDOWS\TEMP

****************************************************
Let empty the temp files:

Download CCleaner and install it. (default location is best).
Select the Windows Tab, Run CCleaner ,(click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done. It's very fast.

****************************************************

Finally, reboot and post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 fedebrown

fedebrown
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 19 February 2005 - 04:22 PM

hello!
ok now i'm more quiet.
i did all the processes, i also found the program C:\WINDOWS\SYSTEM\E_S5I0E1.EXE
in my computer but i don't know what it is.
now it seems to be all right in my computer, but SEEMS..!
here is the latest log:

Logfile of HijackThis v1.99.0
Scan saved at 22.22.11, on 19/02/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMMI\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\E_S5I0E1.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAMMI\ALICE\ALICE ENTERNET\APP\ENTERNET.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\CARTELLA APPLICAZIONI\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rossoalice.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Alice
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programmi\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\SYSTEM\E_S5I0E1.EXE /P26 "EPSON Stylus CX6600 Series" /O5 "LPT1:" /M "Stylus CX6600"
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [ntddetect] WS\SYSTEM\ntddetect.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [avast!] C:\Programmi\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [ntddetect] WS\SYSTEM\ntddetect.exe
O4 - HKCU\..\Run: [ntddetect] WS\SYSTEM\ntddetect.exe
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Alice - {325C7060-4EE0-11D9-A633-D04A250AC352} - http://gw.aliceadsl.it/alice (file missing) (HKCU)
O12 - Plugin for .it/Didattica1/pagine-web/facolt--di/Armando-Da/corso-di-p/G---A: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://gw.aliceadsl.it/home
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: (HKLM)
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://iframedollars.biz/tb/loader2.ocx

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:42 AM

Posted 19 February 2005 - 05:36 PM

Hello fedebrown.

.

You have two suspicious file we need to check. I have a feeling that these are trojans, viruses or adware

Go to this link http://virusscan.jotti.org/

Use the BROWSE button at the top and Navigate to this file
C:\WINDOWS\System32\ntddetect.exe
Right click on the file and choose Select
Back at the site choose SUBMIT
Wait for the Scan Results and save them in a convenient spot in Notepad.
Then copy and paste the entire results of the scan to this thread.


Here is what a sample output looks like:

File: GoogleToolbarInstaller.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: CEXE

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.97 seconds taken)
ClamAV No viruses found (0.39 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus No viruses found (0.74 seconds taken)
mks_vir No viruses found (0.21 seconds taken)
NOD32 No viruses found (0.42 seconds taken)
Norman Virus Control No viruses found (0.40 seconds taken


Then do the same Jotti scan for this file: C:\WINDOWS\SYSTEM\E_S5I0E1.EXE and copy and paste the results to this thread.

Also, right click on the files C:\WINDOWS\System32\ntddetect.exe, C:\WINDOWS\SYSTEM\E_S5I0E1.EXE and left click Properties
and copy and paste the results to this thread. It should tell the date created and the creator of the file.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 fedebrown

fedebrown
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 22 February 2005 - 12:58 PM

hello sifumike, i'm sorry but i did an exam yesterday and i can't post before today.
so , here are the results of the scan:

Service load: 0% 100%

File: ntddetect.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected: FSG

AntiVir TR/Proxy.Agent.DL (1.12 seconds taken)
Avast No viruses found (1.17 seconds taken)
AVG Antivirus No viruses found (2.40 seconds taken)
BitDefender No viruses found (3.42 seconds taken)
ClamAV No viruses found (3.18 seconds taken)
Dr.Web Trojan.Proxy.215 (7.77 seconds taken)
F-Prot Antivirus No viruses found (1.38 seconds taken)
Fortinet No viruses found (3.81 seconds taken)
Kaspersky Anti-Virus Trojan-Proxy.Win32.Agent.dl (7.66 seconds taken)
mks_vir Trojan.Proxy.Agent.Dl (0.76 seconds taken)
NOD32 probably unknown NewHeur_PE (probable variant) (1.62 seconds taken)
Norman Virus Control W32/Agent.BCA (0.56 seconds taken)

Statistics
Last piece of malware found was Trojan-Downloader.Win32.Dadobra.a in cartao.scr, detected by:

Scanner Malware name Time taken
AntiVir X 1.49 seconds
Avast X 4.56 seconds
AVG Antivirus X 1.68 seconds
BitDefender X 2.19 seconds
ClamAV X 2.31 seconds
Dr.Web X 2.09 seconds
F-Prot Antivirus X 2.14 seconds
Fortinet X 0.78 seconds
Kaspersky Anti-Virus Trojan-Downloader.Win32.Dadobra.a 2.82 seconds
mks_vir X 0.47 seconds
NOD32 X 1.52 seconds
Norman Virus Control X 6.81 seconds



Service load: 0% 100%

File: E_S5I0E1.EXE
Status: OK
Packers detected: None

AntiVir No viruses found (0.82 seconds taken)
Avast No viruses found (3.00 seconds taken)
AVG Antivirus No viruses found (0.75 seconds taken)
BitDefender No viruses found (1.62 seconds taken)
ClamAV No viruses found (2.44 seconds taken)
Dr.Web No viruses found (2.34 seconds taken)
F-Prot Antivirus No viruses found (0.22 seconds taken)
Fortinet No viruses found (1.21 seconds taken)
Kaspersky Anti-Virus No viruses found (2.93 seconds taken)
mks_vir No viruses found (0.71 seconds taken)
NOD32 No viruses found (1.38 seconds taken)
Norman Virus Control No viruses found (2.71 seconds taken)

Statistics
Last piece of malware found was Worm/SdBot.50176.1 in fFAwwW.exe, detected by:

Scanner Malware name Time taken
AntiVir Worm/SdBot.50176.1 1.42 seconds
Avast Win32:Trojan-gen. {Other} 4.57 seconds
AVG Antivirus BackDoor.Small.4.AH 1.83 seconds
BitDefender Backdoor.SDBot.6AC64B9D 5.74 seconds
ClamAV X 3.78 seconds
Dr.Web Win32.HLLW.ForBot.based 6.08 seconds
F-Prot Antivirus W32/Agobot.CYF 0.25 seconds
Fortinet X 1.19 seconds
Kaspersky Anti-Virus Backdoor.Win32.Agobot.xi 4.34 seconds
mks_vir Trojan.Agobot.Xi 0.55 seconds
NOD32 Win32/Agobot.ADX 1.31 seconds
Norman Virus Control Sandbox: W32/Malware 12.42 seconds


the file ntddetect.exe was created on 19-02-05 and modified the same day but there isn't the name of the creator in properties.
the other file was created on october 2004 by seiko epson corp.

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:42 AM

Posted 22 February 2005 - 01:29 PM

Hello fedebrown,

E_S5I0E1.EXE is a file from seiko epson corp, so it is OK.

************************************************

Please download this file to your desktop - http://www.mvps.org/winhelp2002/DelDomains.inf .

Right click on the file you downloaded and select install.
This resets the Trusted and Restricted Zones to defaults. O15's are the Trusted and Restricted Zones, so those will be clean after you run this.
You will have to reset your Trusted and Restricted Zones to whatever you had before your malware infection.

************************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


Please boot into Safe Mode, go to HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each.
WS\SYSTEM\ntddetect.exe
C:\WINDOWS\System32\ntddetect.exe


While in Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O4 - HKLM\..\Run: [ntddetect] WS\SYSTEM\ntddetect.exe
O4 - HKLM\..\RunServices: [ntddetect] WS\SYSTEM\ntddetect.exe
O4 - HKCU\..\Run: [ntddetect] WS\SYSTEM\ntddetect.exe
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: (HKLM)
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://iframedollars.biz/tb/loader2.ocx


************************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Delete the following files/folders in bold:

WS\SYSTEM\ntddetect.exe <== file
C:\WINDOWS\System32\ntddetect.exe <== file

************************************************

Let empty the temp files:

Download CCleaner and install it. (default location is best).
Select the Windows Tab, Run CCleaner ,(click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done. It's very fast.

************************************************

Finally, reboot and post a new Hijackthis log, and tell me how your computer is running.

Edited by SifuMike, 22 February 2005 - 01:30 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 fedebrown

fedebrown
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 23 February 2005 - 03:39 PM

hello sifumike, here is the latest log
i hope there are some good news!


Logfile of HijackThis v1.99.0
Scan saved at 21.39.18, on 23/02/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMMI\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
C:\WINDOWS\SYSTEM\E_S5I0E1.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMMI\ALICE\ALICE ENTERNET\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\CARTELLA APPLICAZIONI\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rossoalice.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Alice
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programmi\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\SYSTEM\E_S5I0E1.EXE /P26 "EPSON Stylus CX6600 Series" /O5 "LPT1:" /M "Stylus CX6600"
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [avast!] C:\Programmi\Alwil Software\Avast4\ashServ.exe
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Alice - {325C7060-4EE0-11D9-A633-D04A250AC352} - http://gw.aliceadsl.it/alice (file missing) (HKCU)
O12 - Plugin for .it/Didattica1/pagine-web/facolt--di/Armando-Da/corso-di-p/G---A: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://gw.aliceadsl.it/home




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users