trojan problem

I saw in the forum that you’ve already helped a guy with the same problem…
I’ve got the HijackThis and and the following is my log…

May you please tell me which file I have to fix.

THank you in advance for your Time and Help,
Emanuele

Logfile of HijackThis v1.99.1
Scan saved at 17.58.48, on 29/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\SYSTEM\PAYTIME.EXE
C:\WINDOWS\NMSTT.EXE
C:\PROGRAMMI\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAMMI\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAMMI\LIBERO 6X\LIBEROACCEL.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAMMI\LIBERO 6X\PBHELPER.DLL
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O3 - Toolbar: @msdxmLC.dll,-1@1040,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [IrMon] IrMon.exe
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [internat.exe] internat.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM..\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O4 - HKLM..\Run: [_Cat2] C:\WINDOWS\nmstt.exe
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [avast!] C:\Programmi\Alwil Software\Avast4\ashServ.exe
O4 - Startup: Avvio Office.lnk = C:\Programmi\Microsoft Office\Office\OSA.EXE
O4 - Startup: Ricerca rapida.lnk = C:\Programmi\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Libero Web Accelerator.lnk = C:\Programmi\Libero 6x\liberoaccel.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {B54CEBFE-9BB6-11D5-BA31-204C4F4F5020} (SoleCd.clsSolecd) - file://C:\Programmi\ilSoleCD\Solecd.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://C:\nosuch.mht!http://213.159.117.203/dl/adv407/x.chm::/load.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 212.216.112.112

Extract from Eddy’s log file analyser - Eddy’s Website click the “HiJackThis Section” and also the “Malware removal instructions and applications” section…

No software firewall detected. If you are not using a hardware firewall, it is highly recommended to install one.


GENERAL INFORMATION :

All items in the original HijackThis log file which are not shown here need further investigation.

Use www.google.com to find out more on items
not listed here or if you have doubts.

In addition to this application, you can also analyse the original HijackThis log on-line at: http://hijackthis.de


THESE ITEMS ARE EITHER HARMFUL OR A SECURITY RISK WE STRONGLY RECOMMEND TO FIX THEM :

r0 - hkcu\software\microsoft\internet explorer\toolbar
o9 - extra button: related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o9 - extra ‘tools’ menuitem: show &related links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o16 - dpf: {75d1f3b2-2a21-11d7-97b9-0010dc2a6243} (securelogin.securecontrol) - http://secure2.comned.com/signuptemplates/activesecurity.cab
o16 - dpf: {b54cebfe-9bb6-11d5-ba31-204c4f4f5020} (solecd.clssolecd) - file://c:\programmi\ilsolecd\solecd.cab
o16 - dpf: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://213.159.117.203/dl/adv407/x.chm::/load.exe

Run the hijackthis scan again and put a tick in the box on the left of these items and click on the Fix button.

Dear David,

Thank you a lot for your help since now, this is my new log…dou you reccomand me to fix something else??

I’ve tought you would already ask me to remove these ones:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

But you didn’t…thank you for now,
hope to hear news from you soon,
my best greetings,
Emanuele

Logfile of HijackThis v1.99.1
Scan saved at 9.24.20, on 31/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\SYSTEM\PAYTIME.EXE
C:\WINDOWS\NMSTT.EXE
C:\PROGRAMMI\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAMMI\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAMMI\LIBERO 6X\LIBEROACCEL.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAMMI\LIBERO 6X\PBHELPER.DLL
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O3 - Toolbar: @msdxmLC.dll,-1@1040,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [IrMon] IrMon.exe
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [internat.exe] internat.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM..\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O4 - HKLM..\Run: [_Cat2] C:\WINDOWS\nmstt.exe
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [avast!] C:\Programmi\Alwil Software\Avast4\ashServ.exe
O4 - Startup: Avvio Office.lnk = C:\Programmi\Microsoft Office\Office\OSA.EXE
O4 - Startup: Ricerca rapida.lnk = C:\Programmi\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Libero Web Accelerator.lnk = C:\Programmi\Libero 6x\liberoaccel.exe
O8 - Extra context menu item: Mostra immagine originale - res://C:\PROGRAMMI\LIBERO 6X\LIBEROACCEL.EXE/227
O8 - Extra context menu item: Mostra tutte le immagini originali - res://C:\PROGRAMMI\LIBERO 6X\LIBEROACCEL.EXE/250
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {B54CEBFE-9BB6-11D5-BA31-204C4F4F5020} (SoleCd.clsSolecd) - file://C:\Programmi\ilSoleCD\Solecd.CAB
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 212.216.112.112

Extract from Eddy’s log file analyser:


CHECKING HIJACKTHIS, WINDOWS, INTERNET EXPLORER AND FIREWALL :

Old version of Internet Explorer detected, please update.
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.


THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :

r1 - hklm\software\microsoft\internet explorer\main
r1 - hkcu\software\microsoft\windows\currentversion\internet settings
o16 - dpf: {b54cebfe-9bb6-11d5-ba31-204c4f4f5020} (solecd.clssolecd) - file://c:\programmi\ilsolecd\solecd.cab

The entries that look suspicious for you, look also suspicious to me. If those are not the startpage you want, maybe you should fix them too.

Update: A whois trace gives me serious reasons to assume this address is a Coolwebsearch site. Better remove it too. Also, run CoolWebShredder from here: http://www.intermute.com/spysubtract/cwshredder_download.html

All of the R0 and R1 entries can and should go, strangely they are not picked up by the automated analysis. They are startpage redirects and probably taking you to some dubious sites, where you are very likely suffer adware and spyware infection.

However there is absolutly no point of cleaning out the stable if you are going to leave the door open - get a firewall and as Spyros mentioned download and run CWShredder.

Item 016 may well be legitimate (not harmful as Spyros stated), depending on if you have installed it to burn CDs (you will have to investigate this, use google and search for solecd.

Dears,

as you probably have already understand I’m not into pcworld too much…I’m doing my best, and your HELP is very instructive, THANK YOU A LOT.

My notebook is a Satellite 320 cdt, quite old and slow…I don’t connect to the web more than one hour a day…I think I cannot effort a firewall, right now, may be when I’ll buy a new pc.

Following is my new log, but I asked to fix R1 and R0 but the HiJack doesn’t succeded. May I ask you why? of How can I proceed?

In two minutes I will run also the SpySubtract PRO, Let’s see

Logfile of HijackThis v1.99.1
Scan saved at 18.08.44, on 31/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\SYSTEM\PAYTIME.EXE
C:\WINDOWS\NMSTT.EXE
C:\PROGRAMMI\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAMMI\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAMMI\LIBERO 6X\LIBEROACCEL.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAMMI\LIBERO 6X\PBHELPER.DLL
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O3 - Toolbar: @msdxmLC.dll,-1@1040,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [IrMon] IrMon.exe
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [internat.exe] internat.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [avast!] C:\Programmi\Alwil Software\Avast4\ashServ.exe
O4 - Startup: Avvio Office.lnk = C:\Programmi\Microsoft Office\Office\OSA.EXE
O4 - Startup: Ricerca rapida.lnk = C:\Programmi\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Libero Web Accelerator.lnk = C:\Programmi\Libero 6x\liberoaccel.exe
O8 - Extra context menu item: Mostra immagine originale - res://C:\PROGRAMMI\LIBERO 6X\LIBEROACCEL.EXE/227
O8 - Extra context menu item: Mostra tutte le immagini originali - res://C:\PROGRAMMI\LIBERO 6X\LIBEROACCEL.EXE/250
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {B54CEBFE-9BB6-11D5-BA31-204C4F4F5020} (SoleCd.clsSolecd) - file://C:\Programmi\ilSoleCD\Solecd.CAB

Every time you start Internet Explorer, the start page downloads some little trojan and you are re-infected.

Best you run CWShredder (refer to Spyros’ post) and change your start pages.

Dear Evangelists,

Actually this was my very first time that I visited a forum to solve pc problems.

I sincerly appreciated your HELP and SUPPORT.

I hope I succeded in fixing my pc…anyway may be you can still have a look to my log files to give me some more advices.

THANK YOU AGAIN
emax


hijackthis log file:

Logfile of HijackThis v1.99.1
Scan saved at 15.40.27, on 05/04/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAMMI\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAMMI\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAMMI\LIBERO 6X\LIBEROACCEL.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAMMI\LIBERO 6X\PBHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1040,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [IrMon] IrMon.exe
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [internat.exe] internat.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [avast!] C:\Programmi\Alwil Software\Avast4\ashServ.exe
O4 - Startup: Avvio Office.lnk = C:\Programmi\Microsoft Office\Office\OSA.EXE
O4 - Startup: Ricerca rapida.lnk = C:\Programmi\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Libero Web Accelerator.lnk = C:\Programmi\Libero 6x\liberoaccel.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {B54CEBFE-9BB6-11D5-BA31-204C4F4F5020} (SoleCd.clsSolecd) - file://C:\Programmi\ilSoleCD\Solecd.CAB


Spy Subtract:

--------------------------------- SpySubtract session started ---------------------------------
Machine=F1U9J8
Time=Thu Mar 31 18:24:37 2005
Product Version=1, 0, 1, 49
OS Version=Microsoft Windows 98 SE

	Started Scanning
	Programs in Memory
	Finished Scanning

--------------------------------- SpySubtract session started ---------------------------------
Machine=F1U9J8
Time=Tue Apr 05 15:08:05 2005
Product Version=1, 0, 1, 49
OS Version=Microsoft Windows 98 SE

--------------------------------- SpySubtract session started ---------------------------------
Machine=F1U9J8
Time=Tue Apr 05 15:11:04 2005
Product Version=1, 0, 1, 49
OS Version=Microsoft Windows 98 SE

	Started Scanning
	Programs in Memory
	Finished Scanning
	Started Scanning
	Files and Directories
	Programs in Memory
	Internet URL Shortcuts
	Internet Cookies
	Windows Registry
	Finished Scanning
	Started Cleaning
	Internet Explorer/MSN/AOL Cache
	Internet Browser History
	AOL URL History
	Media Player history
	RealPlayer History
	Windows common dialog recently used file list
	Windows Search History
	Windows Temp Files
	Windows Document History
	Windows Run History
	Recycle Bin
	Start Menu Order/Click History
	MS Download Temp Directory
	Google Search History
	Winzip Recent File List
	Adobe Acrobat recent file list
	Microsoft Word recent file list
	Microsoft Excel recent file list
	Microsoft PowerPoint recent file list
	Microsoft Access recent file list
	Internet Explorer Auto-complete data
	Jasc Paint Shop Pro History
	AOL Instant Messenger Recent Users
	AOL Instant Messenger Download Folder
	Yahoo Messenger User Profiles
	Yahoo Messenger Transaction Log
	Cookies
	Finished Cleaning

**** Run Keys ****

RUN: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
RUN: [TaskMonitor] C:\WINDOWS\taskmon.exe
RUN: [SystemTray] SysTray.Exe
RUN: [IrMon] IrMon.exe
RUN: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
RUN: [internat.exe] internat.exe
RUN: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
RUN: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
RUN:

**** Browser Helper Objects ****

BHO: [AcroIEHlprObj Class] C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
BHO: [PBlockHelper Class] C:\PROGRAMMI\LIBERO 6X\PBHELPER.DLL
BHO: [Loader Class] C:\WINDOWS\SYSTEM\Loader.dll

**** IE Toolbars ****

TOOLBAR: [@msdxmLC.dll,-1@1040,&Radio] C:\WINDOWS\SYSTEM\MSDXM.OCX

**** IE Extensions ****

**** Hosts File Entries ****

**** IE Settings ****

Default Page: http://213.159.117.134/index.php
Default Search: http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Local Page: http://213.159.117.134/index.php
Search Page: http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

**** IE Context Menu (Right click) ****

**** Layered Service Providers ****

LSP: MS.w95.spi.tcp
LSP: MS.w95.spi.udp
LSP: MS.w95.spi.rsvptcp
LSP: MS.w95.spi.rsvpudp

**** Blocked Control Panel Items ****

BLOCKED:

**** Downloaded Program Files ****

Microsoft XML Parser for Java [file://C:\WINDOWS\Java\classes\xmldso4.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]

**** Custom IE Search Items ****

SEARCH:
SEARCH: [SearchAssistant] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
SEARCH: [CustomizeSearch] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

Hi emax,

Remove these from with hijackthis:

O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {B54CEBFE-9BB6-11D5-BA31-204C4F4F5020} (SoleCd.clsSolecd) - file://C:\Programmi\ilSoleCD\Solecd.CAB

Also if you don’t know what this is (i can’t find any info on it), the remove this entry as well:

O4 - Startup: Libero Web Accelerator.lnk = C:\Programmi\Libero 6x\liberoaccel.exe

Also try running CWshredder again: http://cwshredder.net/bin/CWShredder.exe

Also you need to go to www.windowsupdate.com and update your windows and IE.

–lee

Your HJT log appears to be relatively clear now - the two 014 items I feel are un-necessary and could be suspicious.
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=

I suggest you get a software firewall as first suggested on 30/03. Firewalls may let in adware that has been authorised for download (often duped) but their great strength is in stopping it gaining access to the internet to download more.

Unless do this you are likely to be revisiting this problem again.

I haven’t heard of Spy Subtract: so I can’t really comment on its findings.

Some recommendations: Outpost, Sygate and ZoneAlarm