Logfile of HijackThis v1.98.2
Scan saved at 12.50.49, on 12/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
D:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Programmi\Norton AntiVirus\navapsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Programmi\Norton AntiVirus\SAVScan.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\Explorer.EXE
D:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\System32\crsss.exe
D:\WINDOWS\System32\w32update.exe
D:\Programmi\File comuni\Real\Update_OB\realsched.exe
D:\Programmi\File comuni\Symantec Shared\ccApp.exe
D:\WINDOWS\system32\explorer.exe
D:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Internet Optimizer\optimize.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Programmi\Messenger\msmsgs.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\exe\hack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=155574
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=155574
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nba.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gw.aliceadsl.it/home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=155574
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.nba.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Alice
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] D:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sygate Personal Firewall] winn.exe
O4 - HKLM\..\Run: [WindowsRegKey update] ezuinlqwio.exe
O4 - HKLM\..\Run: [Windows Compliant] hpzlwh.exe
O4 - HKLM\..\Run: [Start aThx Roll] f0mered.exe
O4 - HKLM\..\Run: [ALTER DATA] d:\windows\system32\ccdew\repcale.exe d:\windows\system32\ccdew\beird.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MS Remote Procedure Call] msrpc32.exe
O4 - HKLM\..\Run: [Windows media service] crsss.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] w32update.exe
O4 - HKLM\..\Run: [zoymfkk.scr] D:\DOCUME~1\DANIELE\IMPOST~1\Temp\zoymfkk.scr
O4 - HKLM\..\Run: [TkBellExe] "D:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wf6CRG] D:\WINDOWS\jkixnbuw.exe
O4 - HKLM\..\Run: [sais] d:\programmi\180solutions\sais.exe
O4 - HKLM\..\Run: [ccApp] "D:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [explorer] D:\WINDOWS\system32\explorer.exe -go -c32 -w
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [WebRebates0] "D:\Programmi\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] winn.exe
O4 - HKLM\..\RunServices: [WindowsRegKey update] ezuinlqwio.exe
O4 - HKLM\..\RunServices: [Windows Compliant] hpzlwh.exe
O4 - HKLM\..\RunServices: [Start aThx Roll] f0mered.exe
O4 - HKLM\..\RunServices: [ALTER DATA] d:\windows\system32\ccdew\repcale.exe d:\windows\system32\ccdew\beird.exe
O4 - HKLM\..\RunServices: [MS Remote Procedure Call] msrpc32.exe
O4 - HKLM\..\RunServices: [Windows media service] crsss.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] w32update.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ALTER DATA] d:\windows\system32\ccdew\repcale.exe d:\windows\system32\ccdew\beird.exe
O4 - HKCU\..\Run: [Sygate Personal Firewall] winn.exe
O4 - HKCU\..\Run: [Start aThx Roll] f0mered.exe
O4 - HKCU\..\Run: [WindowsRegKey update] ezuinlqwio.exe
O4 - HKCU\..\Run: [Windows Compliant] hpzlwh.exe
O4 - HKCU\..\Run: [MS Remote Procedure Call] msrpc32.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] w32update.exe
O4 - HKCU\..\RunServices: [ALTER DATA] d:\windows\system32\ccdew\repcale.exe d:\windows\system32\ccdew\beird.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://D:\Programmi\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O10 - Unknown file in Winsock LSP: d:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\winlspak.dll
O14 - IERESET.INF: START_PAGE_URL=http://gw.aliceadsl.it/home
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://movie.cinemastream.net/sc.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - D:\WINDOWS\System32\vbsys2 (file missing)

Ciao ,
esegui queste operazioni

1) Disattiva il ripristino di configurazione, leggi qui come fare
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=257&SH=N

2) riavvia in modalità provvisoria, leggi qui come fare
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=344&SH=N

apri HIJAC THIS ed elimina come indicato in questo articolo
http://www.aiutamici.com/software/descrizione.asp?CodSw=1175
le righe che seguono, (nel caso le righe da eliminare non compaiono in modalità provvisoria, eliminale dalla modalità normale e riavvia il computer).

==================================
D:\WINDOWS\System32\crsss.exe
D:\WINDOWS\System32\w32update.exe
-
C:\Program Files\Internet Optimizer\optimize.exe
-
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=155574
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=155574
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nba.com/
-
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=155574
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.nba.com/
-
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
-
O4 - HKLM\..\Run: [Sygate Personal Firewall] winn.exe
O4 - HKLM\..\Run: [WindowsRegKey update] ezuinlqwio.exe
O4 - HKLM\..\Run: [Windows Compliant] hpzlwh.exe
O4 - HKLM\..\Run: [Start aThx Roll] f0mered.exe
O4 - HKLM\..\Run: [ALTER DATA] d:\windows\system32\ccdew\repcale.exe d:\windows\system32\ccdew\beird.exe
-
O4 - HKLM\..\Run: [MS Remote Procedure Call] msrpc32.exe
O4 - HKLM\..\Run: [Windows media service] crsss.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] w32update.exe
O4 - HKLM\..\Run: [zoymfkk.scr] D:\DOCUME~1\DANIELE\IMPOST~1\Temp\zoymfkk.scr
-
O4 - HKLM\..\Run: [wf6CRG] D:\WINDOWS\jkixnbuw.exe
O4 - HKLM\..\Run: [sais] d:\programmi\180solutions\sais.exe
-
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [WebRebates0] "D:\Programmi\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] winn.exe
O4 - HKLM\..\RunServices: [WindowsRegKey update] ezuinlqwio.exe
O4 - HKLM\..\RunServices: [Windows Compliant] hpzlwh.exe
O4 - HKLM\..\RunServices: [Start aThx Roll] f0mered.exe
O4 - HKLM\..\RunServices: [ALTER DATA] d:\windows\system32\ccdew\repcale.exe d:\windows\system32\ccdew\beird.exe
-
O4 - HKLM\..\RunServices: [MS Remote Procedure Call] msrpc32.exe
O4 - HKLM\..\RunServices: [Windows media service] crsss.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] w32update.exe
-
O4 - HKCU\..\Run: [ALTER DATA] d:\windows\system32\ccdew\repcale.exe d:\windows\system32\ccdew\beird.exe
O4 - HKCU\..\Run: [Sygate Personal Firewall] winn.exe
O4 - HKCU\..\Run: [Start aThx Roll] f0mered.exe
O4 - HKCU\..\Run: [WindowsRegKey update] ezuinlqwio.exe
O4 - HKCU\..\Run: [Windows Compliant] hpzlwh.exe
O4 - HKCU\..\Run: [MS Remote Procedure Call] msrpc32.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] w32update.exe
O4 - HKCU\..\RunServices: [ALTER DATA] d:\windows\system32\ccdew\repcale.exe d:\windows\system32\ccdew\beird.exe
-
O8 - Extra context menu item: Web Rebates - file://D:\Programmi\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O10 - Unknown file in Winsock LSP: d:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\winlspak.dll
O14 - IERESET.INF: START_PAGE_URL=http://gw.aliceadsl.it/home
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://movie.cinemastream.net/sc.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - D:\WINDOWS\System32\vbsys2 (file missing)
==================================

Con la funzione TROVA di Windows, cerca ed elimina questi file,

==================================
crsss.exe
w32update.exe
optimize.exe
winn.exe
ezuinlqwio.exe
hpzlwh.exe
f0mered.exe
repcale.exe
beird.exe
msrpc32.exe
zoymfkk.scr
jkixnbuw.exe
sais.exe
WebRebates0.exe
scri1150a.htm
winlspak.dll
ied_s7.cab
x.cab
vbsys2
==================================

al termine utilizza i programma AD-AWARE e SPYBOT indicati in questo articolo
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=388&SH=N

sempre in modalità provvisoria fai una scansione Antivirus

quindi riavvia il computer e controlla se il problema e risolto, se e tutto OK riattiva il ripristino configurazione disattivato all'inizio di questa procedura.

---

alfonso_aiutamici@hotmail.it