Jump to content


Photo

Resent to drusearch.com


  • This topic is locked This topic is locked
3 replies to this topic

#1 Andrea

Andrea

    Member

  • New Member
  • Pip
  • 2 posts

Posted 18 July 2004 - 10:46 AM

I read the FAQ and followed the directions.

I scanned with Ad-Aware and with Spybot with all updates installed.

Unfortunately, when I restart the computer, I still find http://drusearch.com/user18/ set as IE Home Page, even if I cleaned the concerning R0 and R1 with HijackThis.

Note: the first R0, that shows http://localhost/ete...k_miei_menu.php is that correct, but looks not to be used.

Thanks in advance for any help.
Andrea


Logfile of HijackThis v1.98.0
Scan saved at 16.54.25, on 18/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
[My note: it's 6.0]

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
C:\Programmi\EasyPHP\easyphp.exe
C:\Util\av\antivir\AVGUARD.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Util\av\antivir\AVWUPSRV.EXE
C:\Programmi\Trust mouse utility\1.0\mouse32a.exe
C:\Util\av\antivir\AVGNT.EXE
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\hrtcm.exe
C:\Programmi\Messenger\msmsgs.exe
C:\PROGRA~1\EasyPHP\MySql\bin\mysqld-nt.exe
C:\Programmi\Gestimg\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Programmi\Gestimg\Trust\Trust 730S LCD PowerCAM ZOOM\ICON.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\EasyPHP\Apache\apache.exe
C:\Programmi\MainPrg\OOffice\program\soffice.exe
C:\PROGRA~1\EasyPHP\Apache\apache.exe
C:\Util\Files\WinCommander\WINCMD32.EXE
C:\Util\av\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://localhost/ete...k_miei_menu.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://drusearch.com/user18/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://drusearch.com...r18/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://drusearch.com...r18/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://drusearch.com...r18/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://drusearch.com/user18/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://drusearch.com/user18/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Util\av\Spybot\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EasyPHP] C:\Programmi\EasyPHP\easyphp.exe
O4 - HKLM\..\Run: [hpppta] c:\util\scanner\HP\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [FLMTRUSTMOUSE] C:\Programmi\Trust mouse utility\1.0\mouse32a.exe
O4 - HKLM\..\Run: [zSPGuard] c:\util\av\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [CIPWES] C:\WINDOWS\CIPWES.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Util\av\antivir\AVGNT.EXE" /min
O4 - HKLM\..\Run: [hrtcm] C:\WINDOWS\hrtcm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 1.0.lnk = C:\Programmi\MainPrg\OOffice\program\quickstart.exe
O4 - Global Startup: Controllo del Calendario di Ulead Photo Express.lnk = C:\Programmi\Gestimg\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O4 - Global Startup: Trust 730S LCD PowerC@M ZOOM Monitor.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {1222332C-79AD-11D2-B842-444553540000} (XIper3Rd Lettore IPER 3) - file://E:\bin\XIper3RdLib.ocx
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...370/mcfscan.cab

#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 18 July 2004 - 05:44 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://drusearch.com/user18/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://drusearch.com...r18/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://drusearch.com...r18/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://drusearch.com...r18/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://drusearch.com/user18/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://drusearch.com/user18/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O4 - HKLM\..\Run: [CIPWES] C:\WINDOWS\CIPWES.exe
O4 - HKLM\..\Run: [hrtcm] C:\WINDOWS\hrtcm.exe

Reboot and delete

files
C:\WINDOWS\CIPWES.exe
C:\WINDOWS\hrtcm.exe

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#3 Andrea

Andrea

    Member

  • New Member
  • Pip
  • 2 posts

Posted 19 July 2004 - 03:04 AM

It looks to work! I made as you suggested (just I didn't find C:\WINDOWS\CIPWES.exe - I looked also in other directories), and I switched the computer off/on 3-4 times. Great!
Thanks a lot.
P.S.
Now I had the final confirmation and never more I'll navigate with IE!

#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 19 July 2004 - 03:57 PM

Glad to help!

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button