David Romagnoli said:
Logfile of HijackThis v1.98.2
Scan saved at 15.39.02, on 01/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
C:\WINDOWS\system32\TrueCryptService.exe
Some freebie Sourceforge encrypting service. If you don't need your
currently encrypted data right now during testing, disable this service
to make sure it isn't causing conflicts. You don't need something
sucking up memory to provide a convenience VDISK when you are trying to
solve problems.
Besides the startup programs you disabled in msconfig.exe to reboot
without them (but which apparently didn't help), make sure to go through
all the services to disable non-critical ones during testing.
C:\WINDOWS\System32\dllhost.exe
This usually gets left over from some poorly written COM+ object. No
big deal.
C:\Programmi\Internet Explorer\iexplore.exe
Were you actually running an instance of Internet Explorer when you ran
HijackThis? You need to kill all regular applications to get to as base
a state under which the problem occurs. Otherwise, this might've been a
remnant copy of IE left in memory; Windows still has problems forcing
programs to unload when they hang during their exit. Also, some malware
will open a "hidden" instance of IE (without a window) so they can run a
script with a timer to repeatedly inflict damage at intervals. You
close the browser that opened but the hidden parent copy of IE is still
loaded so it occurs again.
If you never opened IE (so that a script could load a hidden instance of
it) then some program is loading it. You could use a file monitor to
see who accesses the iexplore.exe file, like SysInternals' FileMon.
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
=
Collegamenti
R3 - Default URLSearchHook is missing
This looks suspicious. Maybe it is some malware crap left over after
you used Spybot or Ad-Aware to attempt to eradicate it.
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
Windows Media Player 2 ActiveX Control.
O4 - Startup: Tcpview.exe.lnk = C:\PROGDVD\UTILITA\Tcpview.exe
Is this the TCPview utility from SysInternals? Why are you loading it
on startup?
O8 - Extra context menu item: Collegamenti a ritroso -
res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili -
res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina -
res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
I don't read whatever language that is. Looks like the Collegamenti
thingie above might have to do with the Google toolbar.
Have you tried uninstalling all the extras that you tacked onto IE
(i.e., Google toolbar, any BHOs, etc.)? Use BHO Demon to see what BHOs
you have installed. Some, like the Acrobat Reader, can be disabled
through a configuration option within that program (rather than having
to uninstall it). Internet Options -> General tab -> Settings -> View
Objects will show you what AX controls are registered for integration
into IE; you can right-click on them to Remove them (but that only
removes that AX control and not the parent software for it; e.g., Sun
installs its control to provide a JVM for IE but I suspect removing it
does not remove all of Sun's Java RT and you'll have to rerun their
install program to put it all back).
I don't which firewall software you are running on your problematic
host. Some will let you know when an unauthorized program attempts to
use an authorized program to make an Internet connection. For example,
there is a tooleaky test that will show an never authorized program can
use IE (a previously authorized program) to make a connection. Norton
Internet Security has some buried option to watch for this. I recall
the Sygate Personal Firewall also had this feature. Don't know about
other firewalls. Then you could see if it was IE that was attempting to
make the connection or if something was hiding behind it.
