redirect IE Start Page

Discussion in 'adware, spyware & hijack cleaning' started by Decibel, May 23, 2004.

Thread Status:
Not open for further replies.
  1. Decibel

    Decibel Registered Member

    Joined:
    May 23, 2004
    Posts:
    4
    Hallo, I'm Italian and no speak english :'( sorry :)
    This is a my Hijackthis log:

    Start logfile:
    ____________________________________________
    Logfile of HijackThis v1.97.7
    Scan saved at 20.15.29, on 23/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    d:\Programmi\AVPersonal\AVGUARD.EXE
    d:\Programmi\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    D:\Programmi\SlySoft\CloneCD\CloneCDTray.exe
    C:\WINDOWS\Mixer.exe
    C:\Programmi\Creative\ShareDLL\CtNotify.exe
    C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Programmi\Creative\ShareDLL\MediaDet.Exe
    D:\Programmi\AVPersonal\AVGNT.EXE
    C:\WINDOWS\System32\ctfmon.exe
    D:\Programmi\Creative\SBAudigy\Taskbar\CTLTray.exe
    D:\download\software\sicurezza\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\Programmi\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [CloneCDTray] "d:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [Disc Detector] C:\Programmi\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [CTStartup] D:\Programmi\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [Jet Detection] d:\Programmi\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AVGCtrl] d:\Programmi\AVPersonal\AVGNT.EXE /min
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [TaskTray] d:\Programmi\Creative\SBAudigy\Taskbar\CTLTray.exe
    O8 - Extra context menu item: &Google Search - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C1110720-60F6-4592-9B2E-3B7E3437C9DB}: NameServer = 195.130.224.18,195.130.225.129*

    *Note: this is a primary and secondary DNS of my Internet Service Provider
    ____________________________________________
    End logfile

    There is a "cashsearch.biz" strings and Hijackthis don't fix because at system reboot the delete strings reappear.

    I use AD-aware, Personal Antivir, cswshredder, SpyBot Search&Destroy also.

    Please help me

    excuse me for my schoolastic english :rolleyes:
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Decibel,

    I don't see the cause for your hijack.
    Did you use the latest version of CWShredder and did it find something?

    Regards,

    Pieter
     
  3. Decibel

    Decibel Registered Member

    Joined:
    May 23, 2004
    Posts:
    4
    :'( :'(

    This is a message if I choose "scan only" with CSWShredder:

    Start message:
    ------------------------------------------------------
    CWShredder v1.57.0 scan only report
    Please understand that a CWShredder 'Scan only' report
    might not be sufficient to troubleshoot an infected system.
    You can use HijackThis for that:
    http://www.merijn.org/files/hijackthis.zip
    http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip

    Windows XP (5.01.2600 SP1)
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\system32
    AppData folder: C:\Documents and Settings\Domenico\Dati applicazioni
    Username: Domenico

    Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (5719 bytes, A)
    Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
    UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
    CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com [*] dword:4
    CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwwwsearch.com [*] dword:4
    CWS.Googlems.2 (if value is 2) Registry value: Domains: *.xxxtoolbar.com [*] dword:4
    CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com [*] dword:4
    Registry value: DefaultPrefix (should be http://) [] http://
    Registry value: WWW Prefix (should be http://) [www] http://
    Registry value: Mosaic Prefix (should be http://) [mosaic] http://
    Registry value: Home Prefix (should be http://) [home] http://
    Found Win.ini file: C:\WINDOWS\win.ini (528 bytes, A)
    Found System.ini file: C:\WINDOWS\system.ini (227 bytes, A)

    - END OF REPORT -
    -------------------------------------------------------------
    End message

    The program don't fix nothing !!!!
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Nothing in there. :doubt:
    In that case in HijackThis click on Config > Misc Tools > Generate Startuplist
    This will produce a textfile. Post that please.

    Regards,

    Pieter
     
  5. Decibel

    Decibel Registered Member

    Joined:
    May 23, 2004
    Posts:
    4
    Ok

    is this .....

    Start logfile
    -----------------------------------
    StartupList report, 24/05/2004, 15.44.52
    StartupList version: 1.52
    Started from : D:\download\software\sicurezza\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    d:\Programmi\AVPersonal\AVGUARD.EXE
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    d:\Programmi\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\MsPMSPSv.exe
    D:\Programmi\SlySoft\CloneCD\CloneCDTray.exe
    C:\WINDOWS\Mixer.exe
    C:\Programmi\Creative\ShareDLL\CtNotify.exe
    C:\Programmi\Creative\ShareDLL\MediaDet.Exe
    C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
    D:\Programmi\AVPersonal\AVGNT.EXE
    C:\WINDOWS\System32\ctfmon.exe
    D:\Programmi\Creative\SBAudigy\Taskbar\CTLTray.exe
    D:\Programmi\mozilla.org\Mozilla\Mozilla.exe
    D:\Programmi\Spybot - Search & Destroy\SpybotSD.exe
    D:\download\software\sicurezza\HijackThis.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    CloneCDTray = "d:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
    C-Media Mixer = Mixer.exe /startup

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe
    TaskTray = d:\Programmi\Creative\SBAudigy\Taskbar\CTLTray.exe
    Mozilla Quick Launch = "d:\Programmi\mozilla.org\Mozilla\Mozilla.exe" -turbo

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - D:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - D:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - c:\programmi\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

    --------------------------------------------------

    Enumerating Download Program Files:

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

    [Symantec RuFSI Utility Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
    CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll
    System: C:\WINDOWS\system32\system32.dll

    --------------------------------------------------
    End of report, 4.744 bytes
    Report generated in 0,188 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
    -----------------------------------------------------
    end logfile

    p.s. SpyBot Search&Destroy detect DSO Exploit and don't fix
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  7. Decibel

    Decibel Registered Member

    Joined:
    May 23, 2004
    Posts:
    4
    Maaaaaaaaaaaaaaaaaaaaaany many thanks
    :D :D
    And now my hijackthis cleeeeeeeeeeean logfile (!!!!)

    Logfile of HijackThis v1.97.7
    Scan saved at 23.55.02, on 24/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    d:\Programmi\AVPersonal\AVGUARD.EXE
    d:\Programmi\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\System32\CTsvcCDA.EXE
    D:\Programmi\SlySoft\CloneCD\CloneCDTray.exe
    C:\WINDOWS\Mixer.exe
    C:\Programmi\Creative\ShareDLL\CtNotify.exe
    C:\Programmi\Creative\ShareDLL\MediaDet.Exe
    C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
    D:\Programmi\AVPersonal\AVGNT.EXE
    C:\WINDOWS\System32\ctfmon.exe
    D:\Programmi\Creative\SBAudigy\Taskbar\CTLTray.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    D:\Programmi\mozilla.org\Mozilla\Mozilla.exe
    D:\Programmi\Spybot - Search & Destroy\SpybotSD.exe
    D:\download\software\sicurezza\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [CloneCDTray] "d:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [Disc Detector] C:\Programmi\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [CTStartup] D:\Programmi\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [Jet Detection] d:\Programmi\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AVGCtrl] d:\Programmi\AVPersonal\AVGNT.EXE /min
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [TaskTray] d:\Programmi\Creative\SBAudigy\Taskbar\CTLTray.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "d:\Programmi\mozilla.org\Mozilla\Mozilla.exe" -turbo
    O8 - Extra context menu item: &Google Search - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C1110720-60F6-4592-9B2E-3B7E3437C9DB}: NameServer = 195.130.224.18,195.130.225.129
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
Thread Status:
Not open for further replies.