Aiutamici Forum
Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » logfile di hijackthis

logfile di hijackthis Opzioni
Topic Precedente · Topic Sucessivo
_marta_
Inviato: Monday, January 10, 2005 12:51:50 PM
Rank: Member

Iscritto dal : 1/10/2005
Posts: 0
Ho visto che molti hanno il mio stesso problema.
Ho fatto eseguire lo scanner del mio computer da hijackthis, ma ora non vorrei rischiare di eliminare qualcosa di utile. potete dirmi cosa devo fare?
questo è il logfile:

Logfile of HijackThis v1.98.2
Scan saved at 11.43.25, on 10/01/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\removeme.exe
C:\WINDOWS\System32\lmas.exe
C:\WINDOWS\System32\swwhost.exe
C:\WINDOWS\System32\Winregs32.exe
C:\WINDOWS\System32\cvrsss.exe
C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\winloggs.exe
C:\TBC.exe
C:\programmi\sgrunt\IE4321.exe
C:\Program Files\Windows ServeAd\WinServAd.exe
C:\WINDOWS\System32\winmplayd.exe
C:\WINDOWS\System32\winpdgs.exe
C:\Program Files\Windows ServeAd\WinServSuit.exe
C:\WINDOWS\System32\java.exe
C:\WINDOWS\System32\winmedplay.exe
C:\WINDOWS\SYSCFG16.EXE
C:\Program Files\DeskAd Service\DeskAdServ.exe
C:\temp\salm.exe
C:\Program Files\DeskAd Service\DeskAdKeep.exe
C:\WINDOWS\System32\SahAgent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\AUTOEXECC.exe
C:\WINDOWS\system32\svphost.exe
C:\WINDOWS\System32\tmpf02.exe
C:\WINDOWS\System32\tmpf03.exe
C:\WINDOWS\System32\tmpf04.exe
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\luigi\IMPOST~1\Temp\Rar$EX02.749\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nowfind.net/004/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/004/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/004/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/004/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/004/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/004/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/004/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da FastWeb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;(local)
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~2.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\DOCUME~2\daunload\SPYBOT~1\SDHelper.dll
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-544243544243} - C:\WINDOWS\System32\TBC.dll
O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - C:\WINDOWS\webdir.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\System32\spm1316.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-544243544243} - C:\WINDOWS\System32\TBC.dll
O4 - HKLM\..\Run: [Microsoft Update Machine] Winregs32.exe
O4 - HKLM\..\Run: [zonealarm] removeme.exe
O4 - HKLM\..\Run: [Windows media services] cvrsss.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Windows debug logging] winloggs.exe
O4 - HKLM\..\Run: [msnmsg] C:\TBC.exe
O4 - HKLM\..\Run: [Olympic] c:\programmi\sgrunt\IE4321.exe
O4 - HKLM\..\Run: [Rr0+¿ÔÇè]Iú" ‹üžigÅC:\Programmi\ISTsvc\istsvc.exe] C:\WINDOWS\cqoojeji.exe
O4 - HKLM\..\Run: [Microsoft Management] lmas.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [Microsofts media] winmplayd.exe
O4 - HKLM\..\Run: [Windows PDG] winpdgs.exe
O4 - HKLM\..\Run: [Microsofts Legacy Support] java.exe
O4 - HKLM\..\Run: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [nih] C:\WINDOWS\nih.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Winregs32.exe
O4 - HKLM\..\RunServices: [zonealarm] removeme.exe
O4 - HKLM\..\RunServices: [Windows media services] cvrsss.exe
O4 - HKLM\..\RunServices: [Windows debug logging] winloggs.exe
O4 - HKLM\..\RunServices: [Microsoft Management] lmas.exe
O4 - HKLM\..\RunServices: [Microsofts media] winmplayd.exe
O4 - HKLM\..\RunServices: [Windows PDG] winpdgs.exe
O4 - HKLM\..\RunServices: [Microsofts Legacy Support] java.exe
O4 - HKLM\..\RunServices: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\RunOnce: [zonealarm] removeme.exe
O4 - HKLM\..\RunOnce: [Microsoft Management] lmas.exe
O4 - HKLM\..\RunOnce: [Microsoft Windows Update] swwhost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] Winregs32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [zonealarm] removeme.exe
O4 - HKCU\..\Run: [Windows debug logging] winloggs.exe
O4 - HKCU\..\Run: [Microsoft Management] lmas.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] swwhost.exe
O4 - HKCU\..\RunOnce: [zonealarm] removeme.exe
O4 - HKCU\..\RunOnce: [Microsoft Management] lmas.exe
O4 - HKCU\..\RunOnce: [Microsoft Windows Update] swwhost.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O13 - DefaultPrefix: http://nowfind.net/rand/gallery.php?url=
O13 - WWW Prefix: http://nowfind.net/rand/gallery.php?url=
O13 - Home Prefix: http://nowfind.net/rand/gallery.php?url=
O13 - Mosaic Prefix: http://nowfind.net/rand/gallery.php?url=
O15 - Trusted Zone: www.master69.biz
O15 - Trusted Zone: www.sgrunt.biz
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: www.yeak.net
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://www.accessoveloce.com/nd/nd01207.exe
O16 - DPF: {00000000-0000-0000-0000-000020050000} - http://www.accessoveloce.com/nd/nd03141.exe
O16 - DPF: {00000000-0000-0000-0000-002120570000} - http://www.pgsconnect.com/access/pgs0267.exe
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.manidifata.it/CFIDE/classes/CFJava.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c18.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {31F11DFA-3A23-4BC0-89B4-2FB3FB43525B} (Pro_Web016.ProWeb016) - http://sessogratis.net/ProWeb016.CAB
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-it/it/games3.cab
O16 - DPF: {BB1B5064-1496-4E40-A80D-EFF7C5A953A6} (VacPro.italy_vdem) - http://207.234.185.217/italy_vdem.CAB
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f011.mail.lycos.it/app/uploader/FileUploader.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1044446.exe
O21 - SSODL: eplrr - {FFD11B09-B2D6-40F1-A593-C55AF64D1727} - C:\WINDOWS\System32\eplrr3.dll

vi prego aiutatei ho il computer quasi inutilizzabile!
grazie a tutti!!
Torna in alto
 
Sponsor
Inviato: Monday, January 10, 2005 12:51:50 PM

 
Torna in alto
 
alfonso
Inviato: Monday, January 10, 2005 3:17:55 PM

Rank: AiutAmico

Iscritto dal : 10/5/2000
Posts: 19,132
Ciao ,
esegui queste operazioni

1) Disattiva il ripristino di configurazione, leggi qui come fare
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=257&SH=N

2) riavvia in modalità provvisoria, leggi qui come fare
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=344&SH=N

apri HIJAC THIS ed elimina come indicato in questo articolo
http://www.aiutamici.com/software/descrizione.asp?CodSw=1175
le righe che seguono, (nel caso le righe da eliminare non compaiono in modalità provvisoria, eliminale dalla modalità normale e riavvia il computer).

==================================
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nowfind.net/004/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/004/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/004/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/004/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/004/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/004/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/004/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/004/index.html
-
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;(local)
-
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O1 - Hosts: auto.search.msn.com 127.0.0.1
-
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~2.DLL
-
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-544243544243} - C:\WINDOWS\System32\TBC.dll
O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - C:\WINDOWS\webdir.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\System32\spm1316.dll
-
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-544243544243} - C:\WINDOWS\System32\TBC.dll
O4 - HKLM\..\Run: [Microsoft Update Machine] Winregs32.exe
O4 - HKLM\..\Run: [zonealarm] removeme.exe
O4 - HKLM\..\Run: [Windows media services] cvrsss.exe
-
O4 - HKLM\..\Run: [Windows debug logging] winloggs.exe
O4 - HKLM\..\Run: [msnmsg] C:\TBC.exe
O4 - HKLM\..\Run: [Olympic] c:\programmi\sgrunt\IE4321.exe
O4 - HKLM\..\Run: [Rr0+¿ÔÇè]Iú" ‹üžigÅC:\Programmi\ISTsvc\istsvc.exe] C:\WINDOWS\cqoojeji.exe
O4 - HKLM\..\Run: [Microsoft Management] lmas.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [Microsofts media] winmplayd.exe
O4 - HKLM\..\Run: [Windows PDG] winpdgs.exe
O4 - HKLM\..\Run: [Microsofts Legacy Support] java.exe
O4 - HKLM\..\Run: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [nih] C:\WINDOWS\nih.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Winregs32.exe
O4 - HKLM\..\RunServices: [zonealarm] removeme.exe
O4 - HKLM\..\RunServices: [Windows media services] cvrsss.exe
O4 - HKLM\..\RunServices: [Windows debug logging] winloggs.exe
O4 - HKLM\..\RunServices: [Microsoft Management] lmas.exe
O4 - HKLM\..\RunServices: [Microsofts media] winmplayd.exe
O4 - HKLM\..\RunServices: [Windows PDG] winpdgs.exe
O4 - HKLM\..\RunServices: [Microsofts Legacy Support] java.exe
O4 - HKLM\..\RunServices: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\RunOnce: [zonealarm] removeme.exe
O4 - HKLM\..\RunOnce: [Microsoft Management] lmas.exe
O4 - HKLM\..\RunOnce: [Microsoft Windows Update] swwhost.exe
-
O4 - HKCU\..\Run: [Microsoft Update Machine] Winregs32.exe
-
O4 - HKCU\..\Run: [zonealarm] removeme.exe
O4 - HKCU\..\Run: [Windows debug logging] winloggs.exe
O4 - HKCU\..\Run: [Microsoft Management] lmas.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] swwhost.exe
O4 - HKCU\..\RunOnce: [zonealarm] removeme.exe
O4 - HKCU\..\RunOnce: [Microsoft Management] lmas.exe
O4 - HKCU\..\RunOnce: [Microsoft Windows Update] swwhost.exe
-
O13 - DefaultPrefix: http://nowfind.net/rand/gallery.php?url=
O13 - WWW Prefix: http://nowfind.net/rand/gallery.php?url=
O13 - Home Prefix: http://nowfind.net/rand/gallery.php?url=
O13 - Mosaic Prefix: http://nowfind.net/rand/gallery.php?url=
O15 - Trusted Zone: www.master69.biz
O15 - Trusted Zone: www.sgrunt.biz
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: www.yeak.net
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://www.accessoveloce.com/nd/nd01207.exe
O16 - DPF: {00000000-0000-0000-0000-000020050000} - http://www.accessoveloce.com/nd/nd03141.exe
O16 - DPF: {00000000-0000-0000-0000-002120570000} - http://www.pgsconnect.com/access/pgs0267.exe
-
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {31F11DFA-3A23-4BC0-89B4-2FB3FB43525B} (Pro_Web016.ProWeb016) - http://sessogratis.net/ProWeb016.CAB
-
O16 - DPF: {BB1B5064-1496-4E40-A80D-EFF7C5A953A6} (VacPro.italy_vdem) - http://207.234.185.217/italy_vdem.CAB
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f011.mail.lycos.it/app/uploader/FileUploader.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1044446.exe
O21 - SSODL: eplrr - {FFD11B09-B2D6-40F1-A593-C55AF64D1727} - C:\WINDOWS\System32\eplrr3.dll

==================================

Con la funzione TROVA di Windows, cerca ed elimina questi file,

==================================
removeme.exe
lmas.exe
swwhost.exe
Winregs32.exe
cvrsss.exe
winloggs.exe
TBC.exe
IE4321.exe
WinServAd.exe
winmplayd.exe
winpdgs.exe
WinServSuit.exe
java.exe
winmedplay.exe
SYSCFG16.EXE
DeskAdServ.exe
salm.exe
DeskAdKeep.exe
SahAgent.exe
AUTOEXECC.exe
svphost.exe
tmpf02.exe
tmpf03.exe
tmpf04.exe
SEARCH~2.DLL
TBC.dll
webdir.dll
spm1316.dll
cqoojeji.exe
lmas.exe
WinCtlAd.exe
nih.exe
eplrr3.dll
==================================

al termine utilizza i programma AD-AWARE e SPYBOT indicati in questo articolo
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=388&SH=N

sempre in modalità provvisoria fai una scansione Antivirus

quindi riavvia il computer e controlla se il problema e risolto, se e tutto OK riattiva il ripristino configurazione disattivato all'inizio di questa procedura.

Inviaci nuovamente il log dopo la pulitura cosi controlliamo se e rimasto qualcosa.


<img src="http://www.aiutamici.com/ftp/images/avvi1.gif" border=0><img src="http://www.aiutamici.com/ftp/images/avvi2.gif" border=0><img src="http://www.aiutamici.com/ftp/images/avvi3.gif" border=0><img src="http://www.aiutamici.com/ftp/images/avvi4.gif" border=0>
Collaboratore Aiutamici
Torna in alto
 
_marta_
Inviato: Monday, January 10, 2005 6:07:06 PM
Rank: Member

Iscritto dal : 1/10/2005
Posts: 0
Ho fatto tutto quello che mi hai indicato e qualcosa ha cancellato ma credo che il problema non sia del tutto risolto.
ho usato Ad-aware e non mi segnala problemi mentre spybot individua una Registry Key che non riesce ad eliminare, la segnala come ISearchTech.SideFind
Comunque ti invio il nuovo logfile di hijackthis come mi hai detto.
grazie comunque.

Logfile of HijackThis v1.98.2
Scan saved at 17.50.21, on 10/01/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\fjesylkw.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\Winregs32.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\System32\winloggs.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\lmas.exe
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\luigi\IMPOST~1\Temp\Rar$EX01.556\HijackThis.exe
C:\Programmi\ISTsvc\istsvc.exe
C:\WINDOWS\System32\winmedplay.exe
C:\WINDOWS\System32\wuauclt.exe
C:\AUTOEXECC.exe
C:\WINDOWS\explorer.exe
F:\documenti Gino\daunload\Spybot - Search & Destroy\SpybotSD.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nowfind.net/004/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/004/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/004/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/004/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/004/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/004/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/004/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da FastWeb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\DOCUME~2\daunload\SPYBOT~1\SDHelper.dll
O2 - BHO: BHO Class - {CBEFB350-ED5B-4115-B846-C1041676B388} - C:\WINDOWS\System32\MyIE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Rr0+¿ÔÇè]Iú" ‹üžigÅC:\Programmi\ISTsvc\istsvc.exe] C:\WINDOWS\cqoojeji.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [IsR9sY] C:\WINDOWS\fjesylkw.exe
O4 - HKLM\..\Run: [lolefsb] C:\WINDOWS\lolefsb.exe
O4 - HKLM\..\Run: [IST Service] C:\Programmi\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\RunServices: [Microsofts MediaScope] winmedplay.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] Winregs32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O13 - DefaultPrefix: http://nowfind.net/rand/gallery.php?url=
O13 - WWW Prefix: http://nowfind.net/rand/gallery.php?url=
O13 - Home Prefix: http://nowfind.net/rand/gallery.php?url=
O13 - Mosaic Prefix: http://nowfind.net/rand/gallery.php?url=
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.manidifata.it/CFIDE/classes/CFJava.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gampr-it/itp/games12.cab
Torna in alto
 
alfonso
Inviato: Monday, January 10, 2005 6:33:17 PM

Rank: AiutAmico

Iscritto dal : 10/5/2000
Posts: 19,132
Ciao ,
esegui queste operazioni

1) Disattiva il ripristino di configurazione, leggi qui come fare
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=257&SH=N

2) riavvia in modalità provvisoria, leggi qui come fare
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=344&SH=N

apri HIJAC THIS ed elimina come indicato in questo articolo
http://www.aiutamici.com/software/descrizione.asp?CodSw=1175
le righe che seguono, (nel caso le righe da eliminare non compaiono in modalità provvisoria, eliminale dalla modalità normale e riavvia il computer).

==================================
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nowfind.net/004/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/004/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/004/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/004/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/004/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/004/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/004/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/004/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/004/index.html
-
O1 - Hosts: auto.search.msn.com 127.0.0.1
-
O2 - BHO: BHO Class - {CBEFB350-ED5B-4115-B846-C1041676B388} - C:\WINDOWS\System32\MyIE.dll
-
O4 - HKLM\..\Run: [Rr0+¿ÔÇè]Iú" ‹üžigÅC:\Programmi\ISTsvc\istsvc.exe] C:\WINDOWS\cqoojeji.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [IsR9sY] C:\WINDOWS\fjesylkw.exe
O4 - HKLM\..\Run: [lolefsb] C:\WINDOWS\lolefsb.exe
O4 - HKLM\..\Run: [IST Service] C:\Programmi\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\RunServices: [Microsofts MediaScope] winmedplay.exe
-
O4 - HKCU\..\Run: [Microsoft Update Machine] Winregs32.exe
-
O13 - DefaultPrefix: http://nowfind.net/rand/gallery.php?url=
O13 - WWW Prefix: http://nowfind.net/rand/gallery.php?url=
O13 - Home Prefix: http://nowfind.net/rand/gallery.php?url=
O13 - Mosaic Prefix: http://nowfind.net/rand/gallery.php?url=
==================================

Con la funzione TROVA di Windows, cerca ed elimina questi file,

==================================
MyIE.dll
cqoojeji.exe
WinCtlAd.exe
fjesylkw.exe
lolefsb.exe
istsvc.exe
winmedplay.exe
Winregs32.exe
AUTOEXECC.exe
winloggs.exe
lmas.exe
istsvc.exe
==================================

al termine utilizza i programma AD-AWARE e SPYBOT indicati in questo articolo
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=388&SH=N

sempre in modalità provvisoria fai una scansione Antivirus

quindi riavvia il computer e controlla se il problema e risolto, se e tutto OK riattiva il ripristino configurazione disattivato all'inizio di questa procedura.


Non lo avevo notato in precedenza, nel sistema non hai un programma Antivirus, ne un Firewall e il sistema non e aggiornato con SP1, pertanto se ricompare nuovamente queste righe, l'unica cosa che puoi fare e formattare il disco fisso e reinstallare tutto a nuovo, poi aggiornare il Windows XP da Windows Update, installare un Antivirus e un firewall, perché senza di questi anche se formatti il disco fisso, e solo questione di ore per infettarti nuovamente.
Leggi la mia guida alla protezione PC
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=132&SH=N
Collaboratore Aiutamici
Torna in alto
 
Utenti presenti in questo topic
Guest

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » logfile di hijackthis


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.