Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I caught systime - please help


  • This topic is locked This topic is locked
12 replies to this topic

#1 Panta

Panta

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 15 October 2004 - 07:07 PM

Hi folks, I'm new here, and I've only just signed up to ask you some advice about this problem I have...

I run Windows ME, have no anti-virus software nor any firewall (and in spite of this I've never had any problems before...)

A couple of days ago I opened a musical fan-site that all of a sudden popped a dozen windows up on my screen, so to make a long (and frustrating) story short, I found a dialer icon on my desktop and understood there was something wrong...

I manually removed some files that thanks to Google and various computer-related sites I had detected as viruses (like ptsnoop and sebkwv if you know them).

But I still couldn't have Explorer to open the proper home page I had set for it so I found out I had this systime.exe file on my hd.

I have dowloaded HijackThis and run it, here's the log I get:

Logfile of HijackThis v1.98.2
Scan saved at 1.49.16, on 16/10/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMMI\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\SYSTIME.EXE
C:\WINDOWS\SYSTEM\SYSTIME.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAMMI\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gump.net/search/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...count_id=136299
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...count_id=136299
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Kataweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: load=ptsnoop.exe
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\QUESTMOD.DLL (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAMMI\SIDEFIND\SFBHO.DLL (file missing)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM219.DLL (file missing)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\LOCALNRD.DLL
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\WSEM302.DLL (file missing)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1040,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRAMMI\ISTBAR\ISTBAR.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKLM\..\Run: [IST Service] C:\Programmi\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [lnjflh] C:\WINDOWS\SYSTEM\sebkwv.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAMMI\WEB_REBATES\WebRebates0.exe"
O4 - HKLM\..\Run: [CONSCORR] C:\WINDOWS\CONSCORR.exe
O4 - HKLM\..\Run: [Power Scan] C:\Programmi\Power Scan\powerscan.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKCU\..\Run: [Burt] C:\WINDOWS\Application Data\icas.exe
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAMMI\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAMMI\SIDEFIND\SIDEFIND.DLL (file missing)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .WAV: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\nphcd32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: www.google.it
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://chat1.kataweb.it:4080/chat/data/html/misc/msichat.cab

I would be SOOOOO thankful if any of you guys could help me finding out what to remove, because well, I'm a nerd when we talk about computers...

When I start up the machine I only have "legal" processes running (I know for sure) except one, called "Icas". Any idea what it is or how I can remove it?

Finally, sometimes Explorer performs some invalid operation (it used to do it also before I started having these other problems) but then when I close the whole internet connection is dropped and the voice "winoldap" appears in the Ctrl+Alt+Del window. What's that?

Thanks in advance, any help will be much apreciated.

/Panta

Edited by Panta, 15 October 2004 - 07:08 PM.


BC AdBot (Login to Remove)

 


#2 Panta

Panta
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 15 October 2004 - 07:38 PM

I don't know if this affects the log but I've moved the .exe to its own folder following the suggested procedure (it was on my desktop, doh!).

#3 Panta

Panta
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 16 October 2004 - 06:37 AM

Can't anybody help? :thumbsup:

#4 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:06:30 AM

Posted 16 October 2004 - 06:41 AM

A member, of the HJT Team, will help you out.
Please, be patient, these people are volunteers. They will help you out, as soon as possible.

In the meantime, run these online virus scanners:

http://www.pandasoftware.com/activescan/

http://housecall.trendmicro.com/

Make a note of what each one finds, and fixes, then post back here with the results.

Edited by tg1911, 16 October 2004 - 06:43 AM.

MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#5 Panta

Panta
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 16 October 2004 - 06:44 AM

Ok, thanks. I didn't mean to sound demanding. :thumbsup:

#6 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:01:30 PM

Posted 16 October 2004 - 06:47 AM

You seriously do need Antivirus & Firewall protection, there are links below my signature to AVG & Kerio, Zone Alarm for those. You need critical updates to your Windows & IE. I have given you a link below for that. Do this first:

Printing this may help you

As you have a variety of issues, I suggest you proceed as follows:
Download the latest version of CWShredder http://www.bleepingcomputer.com/files/cwshredder.phpby Merijn Bellekom, the creator of Hijack This. Check for updates!! If it is version 1.59.1 that is ok.

Run it, press 'Fix', and allow it to fix all it finds.

Download Spybot - Search & Destroy Here

After installing, you MUST first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot clean all the items marked in red.

Next;

Now download Ad-Aware SE Here
After installing AAW, and before running the program, you NEED to FIRST check for updates.

Reconfigure Ad-Aware SE for a custom scan:

Launch the program, and click on the Gear at the top of the start screen.

Under "General Settings" all available options should be selected.

Click the "Scanning" button.
Under "Drives, Folders and Files," select "Scan within Archives".
Click "Drives and folders to scan" and select your installed hard drives.
Under "Memory & Registry," select all options.

Click the "Advanced" button.
Under "Logfile detail level," select all options.

Click the "Defaults" button.
If you want to keep your current settings for your homepage and searchpage,
select "Read current settings from system." Otherwise, Ad-aware will reset them.

Click the "Tweak" button.
Under "Scanning Engine," select the following:
"Unload recognized processes during scanning."
Under "Cleaning Engine," select the following:
"Always try to unload modules before deletion."
"During removal unload Explorer and IE if necessary."
"Let Windows remove files in use after reboot."
Click on "Proceed" to save these Preferences.

Run the Ad-Aware scan, making sure that the mode selected is "Use custom scanning options."

When the scan is finished, the screen will tell you if anything has been found, click "Next." The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?" Reboot when finished.

Next:

You need to Update Windows and Internet Explorer, to get all the Latest Security Patches that Protect Your Computer.

This can be accessed by going Here and following the prompts.


When you've done all that, re-run Hijack This, and show me a fresh log.

There may be more to do!

#7 Panta

Panta
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 16 October 2004 - 11:26 AM

Well thanks a lot 12g, I don't have time for all that now but I'll give it a try later. Anyway, are those dowloads very big? I don't have much free disc-space...

What I've done instead is running Panda anti-virus as suggested by tg1911. It found and fixed 3 infected files, among which the systime.exe file I wasn't able to remove on my own. Now the homepage of Explorer seems to work as it's supposed to. The only thing I can still see is that Icas application running in my Ctrl+Alt+Del menu, but when I close it Windows says it's stuck and asks me if I want to close it or wait. So it may be due to what I manually removed some days ago.

Anyway, this is a new log... is it any better?

Logfile of HijackThis v1.98.2
Scan saved at 18.27.01, on 16/10/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMMI\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAMMI\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gump.net/search/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...count_id=136299
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...count_id=136299
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Kataweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: load=ptsnoop.exe
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\QUESTMOD.DLL (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAMMI\SIDEFIND\SFBHO.DLL (file missing)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM219.DLL (file missing)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\LOCALNRD.DLL
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\WSEM302.DLL (file missing)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1040,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRAMMI\ISTBAR\ISTBAR.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\Run: [IST Service] C:\Programmi\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [lnjflh] C:\WINDOWS\SYSTEM\sebkwv.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAMMI\WEB_REBATES\WebRebates0.exe"
O4 - HKLM\..\Run: [CONSCORR] C:\WINDOWS\CONSCORR.exe
O4 - HKLM\..\Run: [Power Scan] C:\Programmi\Power Scan\powerscan.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Burt] C:\WINDOWS\Application Data\icas.exe
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAMMI\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAMMI\SIDEFIND\SIDEFIND.DLL (file missing)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .WAV: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\nphcd32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: www.google.it
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://chat1.kataweb.it:4080/chat/data/html/misc/msichat.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Btw, in which folder has the Panda stuff been saved to? Is there any way to uninstall it once done? Note that while Panda was scanning my hd my internet connection was dropped so unfortunately I couldn't check for detailed results.

Thanks everybody for your help.

#8 Panta

Panta
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 16 October 2004 - 12:05 PM

I ran CWShredder and Spybot Search & Destroy. Here's a new log:

Logfile of HijackThis v1.98.2
Scan saved at 19.11.24, on 16/10/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMMI\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAMMI\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gump.net/search/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Kataweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
F1 - win.ini: load=ptsnoop.exe
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\QUESTMOD.DLL (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAMMI\SIDEFIND\SFBHO.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1040,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAMMI\WEB_REBATES\WebRebates0.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Burt] C:\WINDOWS\Application Data\icas.exe
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAMMI\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAMMI\SIDEFIND\SIDEFIND.DLL (file missing)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .WAV: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\nphcd32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: www.google.it
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://chat1.kataweb.it:4080/chat/data/html/misc/msichat.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Thanks again.
/P

#9 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:01:30 PM

Posted 16 October 2004 - 02:35 PM

Go to Add/Remove Programs, Remove any instance of;

WEB_REBATES

Next:

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\QUESTMOD.DLL (file missing)

O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAMMI\SIDEFIND\SFBHO.DLL (file missing)

O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAMMI\WEB_REBATES\WebRebates0.exe"

O4 - HKCU\..\Run: [Burt] C:\WINDOWS\Application Data\icas.exe

O8 - Extra context menu item: Web Rebates - file://C:\PROGRAMMI\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAMMI\SIDEFIND\SIDEFIND.DLL (file missing)

Restart your computer in
Safe Mode Also make sure you show hidden and system files Then delete the following files or folders as indicated below if they still show:

Not all or any of these may still show,

C:\PROGRAMMI\WEB_REBATES<<Folder
C:\WINDOWS\Application Data\icas.exe

Reboot in Normal Mode, then post a fresh logfile so that I can check to see if it is clean.

#10 Panta

Panta
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 16 October 2004 - 09:35 PM

I did it all and here's the log:

Logfile of HijackThis v1.98.2
Scan saved at 4.40.38, on 17/10/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMMI\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gump.net/search/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Kataweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F1 - win.ini: load=ptsnoop.exe
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1040,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .WAV: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\nphcd32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: www.google.it
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://chat1.kataweb.it:4080/chat/data/html/misc/msichat.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Note the "F1 - win.ini: load=ptsnoop.exe" line :flowers:

Thanks a lot, it all worked and I'm actually pretty amazed that I made it! :thumbsup:

Let me know how it's going and thanks a LOT!


PS: Btw, either Shredder or Spybot (I don't remember) says to check if sxstall.exe is an ok file, and if not of course fix it. Know anything about it?

Edited by Panta, 16 October 2004 - 09:42 PM.


#11 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:01:30 PM

Posted 17 October 2004 - 02:56 AM

Excellent, your log is clean now :thumbsup:

"F1 - win.ini: load=ptsnoop.exe"

ptsnoop.exe is a part of the PCTel configuration tool for their brand of PCI modems. This program is a non-essential process, but should not be terminated unless suspected to be causing problems. If you have that type of modem leave it, if not fix the line.

sxstall.exe

I know nothing about that exe, and can find nothing about it. I would suggest you check the properties on it. Get back to me on that.

Please follow this advice:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

#12 Panta

Panta
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 17 October 2004 - 06:37 AM

Man, I really owe you.

sxstall properties say that it's an unistaller program located in c:\windows, created more or less in the period during which I had Windows ME installed (not sure though). CWShredder said it could be a random name so I told it to ignore it until I was sure about what it is.

As for your suggestions: yessir! :D

Thanks again and remember you have a friend in Italy right now. ;)


PS: I have just noticed my "Disable System Restore" option in the File System Properties was already ticked. Should I enable it instead?

Edited by Panta, 17 October 2004 - 06:42 AM.


#13 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:01:30 PM

Posted 17 October 2004 - 08:03 AM

You are very welcome :thumbsup: And I love Italy!! I have just got back from there!! Ok, you need to enable System Restore after you have rebooted.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users