redirect IE Start Page

Discussion in 'adware, spyware & hijack cleaning' started by Decibel, May 23, 2004.

Thread Status:
Not open for further replies.
  1. Decibel

    Decibel Registered Member

    Joined:
    May 23, 2004
    Posts:
    4
    Hallo, I'm Italian and no speak english :'( sorry :)
    This is a my Hijackthis log:

    Start logfile:
    ____________________________________________
    Logfile of HijackThis v1.97.7
    Scan saved at 20.15.29, on 23/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    d:\Programmi\AVPersonal\AVGUARD.EXE
    d:\Programmi\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    D:\Programmi\SlySoft\CloneCD\CloneCDTray.exe
    C:\WINDOWS\Mixer.exe
    C:\Programmi\Creative\ShareDLL\CtNotify.exe
    C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Programmi\Creative\ShareDLL\MediaDet.Exe
    D:\Programmi\AVPersonal\AVGNT.EXE
    C:\WINDOWS\System32\ctfmon.exe
    D:\Programmi\Creative\SBAudigy\Taskbar\CTLTray.exe
    D:\download\software\sicurezza\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\Programmi\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [CloneCDTray] "d:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [Disc Detector] C:\Programmi\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [CTStartup] D:\Programmi\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [Jet Detection] d:\Programmi\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AVGCtrl] d:\Programmi\AVPersonal\AVGNT.EXE /min
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [TaskTray] d:\Programmi\Creative\SBAudigy\Taskbar\CTLTray.exe
    O8 - Extra context menu item: &Google Search - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C1110720-60F6-4592-9B2E-3B7E3437C9DB}: NameServer = 195.130.224.18,195.130.225.129*

    *Note: this is a primary and secondary DNS of my Internet Service Provider
    ____________________________________________
    End logfile

    There is a "cashsearch.biz" strings and Hijackthis don't fix because at system reboot the delete strings reappear.

    I use AD-aware, Personal Antivir, cswshredder, SpyBot Search&Destroy also.

    Please help me

    excuse me for my schoolastic english :rolleyes:
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Hi Decibel,

    I don't see the cause for your hijack.
    Did you use the latest version of CWShredder and did it find something?

    Regards,

    Pieter
     
  3. Decibel

    Decibel Registered Member

    Joined:
    May 23, 2004
    Posts:
    4
    :'( :'(

    This is a message if I choose "scan only" with CSWShredder:

    Start message:
    ------------------------------------------------------
    CWShredder v1.57.0 scan only report
    Please understand that a CWShredder 'Scan only' report
    might not be sufficient to troubleshoot an infected system.
    You can use HijackThis for that:
    http://www.merijn.org/files/hijackthis.zip
    http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip

    Windows XP (5.01.2600 SP1)
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\system32
    AppData folder: C:\Documents and Settings\Domenico\Dati applicazioni
    Username: Domenico

    Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (5719 bytes, A)
    Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
    UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
    CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com [*] dword:4
    CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwwwsearch.com [*] dword:4
    CWS.Googlems.2 (if value is 2) Registry value: Domains: *.xxxtoolbar.com [*] dword:4
    CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com [*] dword:4
    Registry value: DefaultPrefix (should be http://) [] http://
    Registry value: WWW Prefix (should be http://) [www] http://
    Registry value: Mosaic Prefix (should be http://) [mosaic] http://
    Registry value: Home Prefix (should be http://) [home] http://
    Found Win.ini file: C:\WINDOWS\win.ini (528 bytes, A)
    Found System.ini file: C:\WINDOWS\system.ini (227 bytes, A)

    - END OF REPORT -
    -------------------------------------------------------------
    End message

    The program don't fix nothing !!!!
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Nothing in there. :doubt:
    In that case in HijackThis click on Config > Misc Tools > Generate Startuplist
    This will produce a textfile. Post that please.

    Regards,

    Pieter
     
  5. Decibel

    Decibel Registered Member

    Joined:
    May 23, 2004
    Posts:
    4
    Ok

    is this .....

    Start logfile
    -----------------------------------
    StartupList report, 24/05/2004, 15.44.52
    StartupList version: 1.52
    Started from : D:\download\software\sicurezza\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    d:\Programmi\AVPersonal\AVGUARD.EXE
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    d:\Programmi\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\MsPMSPSv.exe
    D:\Programmi\SlySoft\CloneCD\CloneCDTray.exe
    C:\WINDOWS\Mixer.exe
    C:\Programmi\Creative\ShareDLL\CtNotify.exe
    C:\Programmi\Creative\ShareDLL\MediaDet.Exe
    C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
    D:\Programmi\AVPersonal\AVGNT.EXE
    C:\WINDOWS\System32\ctfmon.exe
    D:\Programmi\Creative\SBAudigy\Taskbar\CTLTray.exe
    D:\Programmi\mozilla.org\Mozilla\Mozilla.exe
    D:\Programmi\Spybot - Search & Destroy\SpybotSD.exe
    D:\download\software\sicurezza\HijackThis.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    CloneCDTray = "d:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
    C-Media Mixer = Mixer.exe /startup

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe
    TaskTray = d:\Programmi\Creative\SBAudigy\Taskbar\CTLTray.exe
    Mozilla Quick Launch = "d:\Programmi\mozilla.org\Mozilla\Mozilla.exe" -turbo

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - D:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - D:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - c:\programmi\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

    --------------------------------------------------

    Enumerating Download Program Files:

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

    [Symantec RuFSI Utility Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
    CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll
    System: C:\WINDOWS\system32\system32.dll

    --------------------------------------------------
    End of report, 4.744 bytes
    Report generated in 0,188 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
    -----------------------------------------------------
    end logfile

    p.s. SpyBot Search&Destroy detect DSO Exploit and don't fix
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
  7. Decibel

    Decibel Registered Member

    Joined:
    May 23, 2004
    Posts:
    4
    Maaaaaaaaaaaaaaaaaaaaaany many thanks
    :D :D
    And now my hijackthis cleeeeeeeeeeean logfile (!!!!)

    Logfile of HijackThis v1.97.7
    Scan saved at 23.55.02, on 24/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    d:\Programmi\AVPersonal\AVGUARD.EXE
    d:\Programmi\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\System32\CTsvcCDA.EXE
    D:\Programmi\SlySoft\CloneCD\CloneCDTray.exe
    C:\WINDOWS\Mixer.exe
    C:\Programmi\Creative\ShareDLL\CtNotify.exe
    C:\Programmi\Creative\ShareDLL\MediaDet.Exe
    C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
    D:\Programmi\AVPersonal\AVGNT.EXE
    C:\WINDOWS\System32\ctfmon.exe
    D:\Programmi\Creative\SBAudigy\Taskbar\CTLTray.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    D:\Programmi\mozilla.org\Mozilla\Mozilla.exe
    D:\Programmi\Spybot - Search & Destroy\SpybotSD.exe
    D:\download\software\sicurezza\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [CloneCDTray] "d:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [Disc Detector] C:\Programmi\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [CTStartup] D:\Programmi\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [Jet Detection] d:\Programmi\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AVGCtrl] d:\Programmi\AVPersonal\AVGNT.EXE /min
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [TaskTray] d:\Programmi\Creative\SBAudigy\Taskbar\CTLTray.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "d:\Programmi\mozilla.org\Mozilla\Mozilla.exe" -turbo
    O8 - Extra context menu item: &Google Search - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C1110720-60F6-4592-9B2E-3B7E3437C9DB}: NameServer = 195.130.224.18,195.130.225.129
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.