Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

[solved]Problem with Internet Explorer home page

5K views 29 replies 3 participants last post by  cybertech 
#1 ·
Something is changing Internet Explorer's home page.
I read a former post about the topic, so I closed all the windows and ran Hijack This. This is the log:

Logfile of HijackThis v1.98.0
Scan saved at 14.22.19, on 27/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\inetm\services.exe
C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\MSC~1.ADA\network\win32\lmgrd.exe
E:\Programmi\DS Clock\dsclock.exe
C:\Programmi\Microsoft Office\Office\1040\msoffice.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\PROGRA~1\MSC~1.ADA\network\win32\adamsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\Intel\ASF Agent\ASFAgent.exe
C:\Programmi\Google\ggviewer81-96.exe
C:\Programmi\Microsoft Hardware\Mouse\POINT32.EXE
H:\testi\transit\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchportal.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchportal.info
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.piaggio.com:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = piaggionet*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - e:\Programmi\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Bouncer RunStartup] C:\Programmi\Bouncer\LiveUpdate.exe 110
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Babylon Translator] C:\Programmi\Babylon\Babylon.exe
O4 - HKCU\..\Run: [DS Clock] "e:\Programmi\DS Clock\dsclock.exe"
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Eudora.lnk = C:\Eudora\Eudora.exe
O4 - Startup: SpywareGuard.lnk = E:\programmi\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = piaggio.com
O17 - HKLM\Software\..\Telephony: DomainName = piaggio.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{12DB117D-8366-4D1A-B2A4-06052995D77B}: NameServer = 10.10.1.2,10.10.1.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = piaggio.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{12DB117D-8366-4D1A-B2A4-06052995D77B}: NameServer = 10.10.1.2,10.10.1.3
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = piaggio.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{12DB117D-8366-4D1A-B2A4-06052995D77B}: NameServer = 10.10.1.2,10.10.1.3

Can you please help me to solve the problem? Thank you very much.

Riccardo Testi
 
See less See more
#2 ·
Go here and download Adaware SE

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now and download the latest referencefiles.

Make sure the following settings are made and on -------ON=GREEN

From main window :Click Start then Activate in-depth scan (recommended)

Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

Click proceed to save your settings.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.
 
#3 ·
Dear alienadam,
I followed your advice step-by-step. Beside that, I restarted the PC with network cable disconnected. I did that because I wanted to set the Explorer home page after the restart and I didn't want Explorer to go to searchportal.info when I opened it.
So I restarted the PC, but, as soon as XP started, Spywareguard told me something was trying change Explorer's home page. So the problem is still there.
Beside this, the mouse lost the button definition on restart and I had to go to the control panel to reset it.
Thank very much all the same for your helpfulness.
 
#6 ·
Ooops! Sorry, Cybertech, that was the one before I ran Ad-aware. Here's the current one.

Thank you very much
Riccardo.

Logfile of HijackThis v1.98.0
Scan saved at 10.36.26, on 30/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\MSC~1.ADA\network\win32\lmgrd.exe
C:\WINDOWS\inetm\services.exe
C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Programmi\Babylon\Babylon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\PROGRA~1\MSC~1.ADA\network\win32\adamsd.exe
E:\Programmi\DS Clock\dsclock.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\Intel\ASF Agent\ASFAgent.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Microsoft Office\Office\1040\msoffice.exe
E:\programmi\SpywareGuard\sgmain.exe
E:\programmi\SpywareGuard\sgbhp.exe
C:\Programmi\Google\ggviewer81-96.exe
C:\Programmi\Microsoft Hardware\Mouse\POINT32.EXE
H:\testi\transit\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchportal.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchportal.info
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.piaggio.com:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = piaggionet*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - e:\Programmi\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Bouncer RunStartup] C:\Programmi\Bouncer\LiveUpdate.exe 110
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Babylon Translator] C:\Programmi\Babylon\Babylon.exe
O4 - HKCU\..\Run: [DS Clock] "e:\Programmi\DS Clock\dsclock.exe"
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Eudora.lnk = C:\Eudora\Eudora.exe
O4 - Startup: SpywareGuard.lnk = E:\programmi\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = piaggio.com
O17 - HKLM\Software\..\Telephony: DomainName = piaggio.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{12DB117D-8366-4D1A-B2A4-06052995D77B}: NameServer = 10.10.1.2,10.10.1.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = piaggio.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{12DB117D-8366-4D1A-B2A4-06052995D77B}: NameServer = 10.10.1.2,10.10.1.3
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = piaggio.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{12DB117D-8366-4D1A-B2A4-06052995D77B}: NameServer = 10.10.1.2,10.10.1.3
 
#7 ·
Run HJT again and put a check in the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchportal.info/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchportal.info
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [Bouncer RunStartup] C:\Programmi\Bouncer\LiveUpdate.exe 110
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe

Close all applications and browser windows before you click "fix checked".

Reboot and let us know if that helps.
 
#8 ·
Cybertech,
I did as you wrote. As soon as Win XP restarted, SpywareGuard told me "something" was trying to change the Explorer home page from searchportal.info to a blank page. I think this was the effect of the fixing you suggested. I told SpywareGuard to allow the change, but after a minute or so, SpywareGuard told me "something" was trying to change the home page back to searchportal.info. So I think the problem is still there.
Besides this, XP lost the mouse settings when I restarted XP: I had set the mouse as left-handed, but when I restarted XP, I had to click with the left button. I opened the Control Panel and checked the mouse settings: it was still left-handed! So I clicked OK and the mouse reverted to the left-handed status.....
This morning I downloaded the new Ad-aware definitions and did a full system scan: nothing was found.

Thank you very much
Riccardo
 
#9 ·
I see you have spybot but have you tried adaware?

http://lavasoft.element5.com/software/adaware/

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window: Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)
 
#11 ·
Are these valid?

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = piaggio.com
O17 - HKLM\Software\..\Telephony: DomainName = piaggio.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{12DB117D-8366-4D1A-B2A4-06052995D77B}: NameServer = 10.10.1.2,10.10.1.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = piaggio.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{12DB117D-8366-4D1A-B2A4-06052995D77B}: NameServer = 10.10.1.2,10.10.1.3
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = piaggio.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{12DB117D-8366-4D1A-B2A4-06052995D77B}: NameServer = 10.10.1.2,10.10.1.3
 
#16 ·
Cybertech,
here's the new log:

Logfile of HijackThis v1.98.0
Scan saved at 10.23.52, on 06/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\MSC~1.ADA\network\win32\lmgrd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\PROGRA~1\MSC~1.ADA\network\win32\adamsd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\inetm\services.exe
C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Programmi\Intel\ASF Agent\ASFAgent.exe
C:\Programmi\Babylon\Babylon.exe
E:\Programmi\DS Clock\dsclock.exe
C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programmi\TimeCalendar\TC.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Eudora\Eudora.exe
C:\Programmi\Microsoft Office\Office\1040\msoffice.exe
C:\Programmi\Google\ggviewer81-96.exe
C:\Programmi\Microsoft Hardware\Mouse\POINT32.EXE
E:\ptc\programmi\proe\i486_nt\nms\nmsd.exe
C:\WINDOWS\hh.exe
H:\testi\transit\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchportal.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchportal.info
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.piaggio.com:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = piaggionet*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - e:\Programmi\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKCU\..\Run: [Babylon Translator] C:\Programmi\Babylon\Babylon.exe
O4 - HKCU\..\Run: [DS Clock] "E:\Programmi\DS Clock\dsclock.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Programmi\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Programmi\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [TimeCalendar] "C:\Programmi\TimeCalendar\TC.exe" auto
O4 - Startup: Eudora.lnk = C:\Eudora\Eudora.exe
O4 - Startup: SpywareGuard.lnk = E:\programmi\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = piaggio.com
O17 - HKLM\Software\..\Telephony: DomainName = piaggio.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{12DB117D-8366-4D1A-B2A4-06052995D77B}: NameServer = 10.10.1.2,10.10.1.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = piaggio.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{12DB117D-8366-4D1A-B2A4-06052995D77B}: NameServer = 10.10.1.2,10.10.1.3
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = piaggio.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{12DB117D-8366-4D1A-B2A4-06052995D77B}: NameServer = 10.10.1.2,10.10.1.3

Thank you very much again
Riccardo
 
#17 ·
Run HJT again and put a check in the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchportal.info
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchportal.info
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Programmi\SpyKiller\spykiller.exe /startup

Close all applications and browser windows before you click "fix checked".

Restart in safe mode

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders"
Click "Apply" then "OK".

Delete this file:
C:\WINDOWS\inetm\services.exe

Empty your recycle bin.

Reboot.

You should remove SpyKiller,
http://www.spywarewarrior.com/rogue_anti-spyware.htm
 
#18 ·
Cybertech,
it worked!!!!!!! Thank you, thank you, thank you very much!!!!
Now XP tells me it can't find c:\windows\inetm\services.exe when I restart XP. Is there any way to avoid that warning? Does the missing file adversely affect the system?
May I activate the Google Deskbar? Might the worm still reside there?

Thank you very much again.
Riccardo
 
#20 ·
Cybertech,
since my PC had been infected, I noticed that notepad no longer worked. After your last reply, I inadvertently tried to open the new HJT release's log with notepad, by means of the Send To menu. As soon as I tried, Spywareguard told me the IE homepage was changing to searchportal.info. So I think to have activated the virus by means of a dummy notepad. After that, I ran HJT again
Here's the present HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 12.54.10, on 08/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\MSC~1.ADA\network\win32\lmgrd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\PROGRA~1\MSC~1.ADA\network\win32\adamsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\Intel\ASF Agent\ASFAgent.exe
C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\Programmi\DS Clock\dsclock.exe
C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programmi\TimeCalendar\TC.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Microsoft Office\Office\1040\msoffice.exe
C:\Eudora\Eudora.exe
C:\Programmi\Microsoft Hardware\Mouse\POINT32.EXE
C:\Programmi\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\inetm\services.exe
C:\antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchportal.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchportal.info
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.piaggio.com:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = piaggionet*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F3 - REG:win.ini: run=C:\WINDOWS\inetm\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - e:\Programmi\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKCU\..\Run: [Babylon Translator] C:\Programmi\Babylon\Babylon.exe
O4 - HKCU\..\Run: [DS Clock] "E:\Programmi\DS Clock\dsclock.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Programmi\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [TimeCalendar] "C:\Programmi\TimeCalendar\TC.exe" auto
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - Startup: Eudora.lnk = C:\Eudora\Eudora.exe
O4 - Startup: SpywareGuard.lnk = E:\programmi\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = piaggio.com
O17 - HKLM\Software\..\Telephony: DomainName = piaggio.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{12DB117D-8366-4D1A-B2A4-06052995D77B}: NameServer = 10.10.1.2,10.10.1.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = piaggio.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{12DB117D-8366-4D1A-B2A4-06052995D77B}: NameServer = 10.10.1.2,10.10.1.3
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = piaggio.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{12DB117D-8366-4D1A-B2A4-06052995D77B}: NameServer = 10.10.1.2,10.10.1.3

Shall I look for the items you told me to fix last time? Thank you very much.
 
#21 ·
Run HJT again and put a check in the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchportal.info
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchportal.info
F3 - REG:win.ini: run=C:\WINDOWS\inetm\services.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe

Close all applications and browser windows before you click "fix checked".

Restart in Safe Mode

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete this folder: C:\WINDOWS\inetm

then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it

as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this
while in the temp folder, select view and select details.
then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page.
select all the files/folders except the today ones and delete them all.

and select EVERYTHING in C:\windows\temp except temporary internet files, cookies and history folders and delete all that as well

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then
Reboot normally &

download CWshredder from http://www.thespykiller.co.uk then Run it
Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.

Download Adaware SE http://lavasoft.element5.com/software/adaware/

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window: Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Reboot and post another HJT log for review.
 
#22 ·
Cybertech,
I'm afraid the problem is still there. I had a look at the HJT log I got at the end of the cleaning process you suggested. It still contains references to searchportal.info and to c:\windows\inetm\services.exe.
Moreover, I had chosen a different text editor to open log files, instead of Notepad, which hasn't been working since my PC was infected. Well, every time I reboot, the default apllication to open log files switches back to notepad.
Moreover, last time IE homepage switched to searchportal.info, it happened immediately after I inadvertently tried to open a text file with Notepad.
Here's the last HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 9.14.10, on 09/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\MSC~1.ADA\network\win32\lmgrd.exe
C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\Programmi\DS Clock\dsclock.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\PROGRA~1\MSC~1.ADA\network\win32\adamsd.exe
C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programmi\TimeCalendar\TC.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\Intel\ASF Agent\ASFAgent.exe
C:\Programmi\Babylon\Babylon.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Microsoft Office\Office\1040\msoffice.exe
C:\Eudora\Eudora.exe
E:\programmi\SpywareGuard\sgmain.exe
E:\programmi\SpywareGuard\sgbhp.exe
C:\antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchportal.info
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.piaggio.com:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = piaggionet*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F3 - REG:win.ini: run=C:\WINDOWS\inetm\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - e:\Programmi\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKCU\..\Run: [DS Clock] "E:\Programmi\DS Clock\dsclock.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Programmi\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [TimeCalendar] "C:\Programmi\TimeCalendar\TC.exe" auto
O4 - HKCU\..\Run: [Babylon Translator] C:\Programmi\Babylon\Babylon.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - Startup: Eudora.lnk = C:\Eudora\Eudora.exe
O4 - Startup: SpywareGuard.lnk = E:\programmi\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = piaggio.com
O17 - HKLM\Software\..\Telephony: DomainName = piaggio.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{12DB117D-8366-4D1A-B2A4-06052995D77B}: NameServer = 10.10.1.2,10.10.1.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = piaggio.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{12DB117D-8366-4D1A-B2A4-06052995D77B}: NameServer = 10.10.1.2,10.10.1.3
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = piaggio.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{12DB117D-8366-4D1A-B2A4-06052995D77B}: NameServer = 10.10.1.2,10.10.1.3

Thank you very much
 
#24 ·
You are not able to delete this folder C:\WINDOWS\inetm ?

Download TheKillbox from here:

http://www.downloads.subratam.org/KillBox.zip

Unzip the files to the folder of your choice.

Double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\inetm

Select "Delete on Reboot".

Reboot the machine and check to see if it's gone.
 
#25 ·
Cybertech,
since Sept. 9th the homepage hasn't changed anymore. As you can see in the following log (generated today), searchportal has disappeared, but the inetm folder is still there.
Shall I delete the folder, even though the problem seems to be gone?
I deleted it some days ago, when the hijacker was still here, but XP told me the file inetm\services.exe was missing whenever I rebooted.
So, if you think the folder is now harmless, I won't make killbox delete it, to avoid the XP message when I reboot.
That notwithstanding, adaware keeps on finding items everyday. Is that normal?
Finally, I never tried to open Notepad again, since the last disaster....

Thank you very much
Riccardo

Logfile of HijackThis v1.98.2
Scan saved at 14.33.18, on 13/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\Programmi\DS Clock\dsclock.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programmi\TimeCalendar\TC.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\Intel\ASF Agent\ASFAgent.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Microsoft Office\Office\1040\msoffice.exe
E:\programmi\SpywareGuard\sgmain.exe
E:\programmi\SpywareGuard\sgbhp.exe
C:\WINDOWS\inetm\services.exe
C:\Programmi\Microsoft Hardware\Mouse\POINT32.EXE
C:\Programmi\Microsoft Office\Office\POWERPNT.EXE
C:\PROGRA~1\MSC~1.ADA\network\win32\lmgrd.exe
C:\PROGRA~1\MSC~1.ADA\network\win32\adamsd.exe
C:\Programmi\Jasc Software Inc\Paint Shop Pro 8\Paint Shop Pro.exe
C:\WINDOWS\System32\svchost.exe
E:\ptc\programmi\proe\i486_nt\nms\nmsd.exe
E:\ptc\programmi\proe\i486_nt\obj\xtop.exe
E:\ptc\programmi\proe\i486_nt\obj\pro_comm_msg.exe
C:\PROGRA~1\ANSYSI~1\v81\AISOL\CADINT~1\ACTIVE~1.EXE
E:\ptc\programmi\proe\i486_nt\obj\pglclock.exe
C:\Eudora\Eudora.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Babylon\Babylon.exe
C:\WINDOWS\hh.exe
C:\Programmi\Microsoft Office\Office\WINWORD.EXE
C:\Programmi\WinRAR\WinRAR.exe
C:\Programmi\ANSYS Inc\v81\AISOL\CommonFiles\AnsysWBU.exe
C:\Programmi\File comuni\Microsoft Shared\Artgalry\ARTGALRY.EXE
C:\antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alltheweb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alltheweb.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.piaggio.com:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = piaggionet*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F3 - REG:win.ini: run=C:\WINDOWS\inetm\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - e:\Programmi\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKCU\..\Run: [DS Clock] "E:\Programmi\DS Clock\dsclock.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Programmi\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [TimeCalendar] "C:\Programmi\TimeCalendar\TC.exe" auto
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKCU\..\Run: [Babylon Translator] C:\Programmi\Babylon\Babylon.exe
O4 - Startup: Eudora.lnk = C:\Eudora\Eudora.exe
O4 - Startup: SpywareGuard.lnk = E:\programmi\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = piaggio.com
O17 - HKLM\Software\..\Telephony: DomainName = piaggio.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{12DB117D-8366-4D1A-B2A4-06052995D77B}: NameServer = 10.10.1.2,10.10.1.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = piaggio.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{12DB117D-8366-4D1A-B2A4-06052995D77B}: NameServer = 10.10.1.2,10.10.1.3
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = piaggio.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{12DB117D-8366-4D1A-B2A4-06052995D77B}: NameServer = 10.10.1.2,10.10.1.3
 
#26 ·
No I don't think you should leave it.

Go here and run at least two of the online scanners.
http://forums.techguy.org/t110854/s.html

If that does not find it then do this again and make sure you don't miss one of the lines
Run HJT again and put a check in the following:

F3 - REG:win.ini: run=C:\WINDOWS\inetm\services.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe

Close all applications and browser windows before you click "fix checked".

Restart in Safe Mode

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete the file:
C:\WINDOWS\inetm\services.exe

Reboot and post another log.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top