Log di Hijack - Sicurezza VIRUS

Benvenuto Ospite

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » Log di Hijack

Log di Hijack

Opzioni

Topic Precedente · Topic Sucessivo

yronic

Inviato: Monday, May 30, 2005 5:55:34 PM

Rank: Member

Iscritto dal : 11/25/2004
Posts: 0

Mi si è installato about blank come home page e nonostante ripetuti scan con spybot e ad aware non riesco a rimuoverlo.
Ti invio il log di Hijack... me lo controlli x favore?
Grazie mille

Logfile of HijackThis v1.98.2
Scan saved at 17:48:38, on 30/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\msdtc.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\File comuni\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Programmi\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\netrg.exe
C:\Documents and Settings\default\Documenti\Programmi\Sicurezza\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xkwzb.dll/sp.html#83556
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xkwzb.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xkwzb.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xkwzb.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xkwzb.dll/sp.html#83556
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xkwzb.dll/sp.html#83556
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xkwzb.dll/sp.html#83556
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {4FB1194E-D990-3D10-F676-4013A1C619B5} - C:\WINDOWS\atlyp32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iexplore.exe] c:\programmi\internet explorer\iexplore.exe
O4 - HKLM\..\Run: [netrg.exe] C:\WINDOWS\system32\netrg.exe
O4 - HKLM\..\RunOnce: [appit.exe] C:\WINDOWS\system32\appit.exe
O4 - HKLM\..\RunOnce: [d3pz.exe] C:\WINDOWS\d3pz.exe
O4 - HKLM\..\RunOnce: [apilw32.exe] C:\WINDOWS\system32\apilw32.exe
O4 - HKLM\..\RunOnce: [mspo32.exe] C:\WINDOWS\system32\mspo32.exe
O4 - HKLM\..\RunOnce: [windw32.exe] C:\WINDOWS\windw32.exe
O4 - HKLM\..\RunOnce: [mfcxp.exe] C:\WINDOWS\mfcxp.exe
O4 - HKLM\..\RunOnce: [ntsp.exe] C:\WINDOWS\ntsp.exe
O4 - HKLM\..\RunOnce: [msll32.exe] C:\WINDOWS\system32\msll32.exe
O4 - HKLM\..\RunOnce: [winfi.exe] C:\WINDOWS\system32\winfi.exe
O4 - HKLM\..\RunOnce: [javaga32.exe] C:\WINDOWS\javaga32.exe
O4 - HKLM\..\RunOnce: [atlvs.exe] C:\WINDOWS\system32\atlvs.exe
O4 - HKLM\..\RunOnce: [ntoo32.exe] C:\WINDOWS\ntoo32.exe
O4 - HKLM\..\RunOnce: [ntmn32.exe] C:\WINDOWS\system32\ntmn32.exe
O4 - HKLM\..\RunOnce: [sdkvu.exe] C:\WINDOWS\system32\sdkvu.exe
O4 - HKLM\..\RunOnce: [mfczf32.exe] C:\WINDOWS\system32\mfczf32.exe
O4 - HKLM\..\RunOnce: [atlne.exe] C:\WINDOWS\atlne.exe
O4 - HKLM\..\RunOnce: [apibg32.exe] C:\WINDOWS\apibg32.exe
O4 - HKLM\..\RunOnce: [apiew32.exe] C:\WINDOWS\apiew32.exe
O4 - HKLM\..\RunOnce: [winep.exe] C:\WINDOWS\winep.exe
O4 - HKLM\..\RunOnce: [atlgu.exe] C:\WINDOWS\atlgu.exe
O4 - HKLM\..\RunOnce: [ietw32.exe] C:\WINDOWS\ietw32.exe
O4 - HKLM\..\RunOnce: [appjm32.exe] C:\WINDOWS\appjm32.exe
O4 - HKLM\..\RunOnce: [msxo.exe] C:\WINDOWS\system32\msxo.exe
O4 - HKLM\..\RunOnce: [msrz32.exe] C:\WINDOWS\msrz32.exe
O4 - HKLM\..\RunOnce: [ipcs32.exe] C:\WINDOWS\ipcs32.exe
O4 - HKLM\..\RunOnce: [crgu32.exe] C:\WINDOWS\crgu32.exe
O4 - HKLM\..\RunOnce: [appvj.exe] C:\WINDOWS\appvj.exe
O4 - HKLM\..\RunOnce: [sdkfv.exe] C:\WINDOWS\sdkfv.exe
O4 - HKLM\..\RunOnce: [msjx.exe] C:\WINDOWS\system32\msjx.exe
O4 - HKLM\..\RunOnce: [d3sv.exe] C:\WINDOWS\system32\d3sv.exe
O4 - HKLM\..\RunOnce: [javawx.exe] C:\WINDOWS\javawx.exe
O4 - HKLM\..\RunOnce: [winms32.exe] C:\WINDOWS\system32\winms32.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WKCALREM.LNK = C:\Programmi\File comuni\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\programmi\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000000-0000-0000-0000-000020040000} - ms-its:mhtml:file://c:\foo.mht!http://67.15.130.39/x3x/itenergy.chm::/dialer.exe
O16 - DPF: {00000000-0023-0000-5400-320020040070} - http://66.240.181.129/gs/gsa0636.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116256005671
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {ADB880A6-D8FF-11CF-9377-00AA003B7A11} (HHCtrl Object) - http://195.225.176.5/d/khmeljb/ecviwiq/ilzgegq/jkrlhq/IT/hhctrl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{6FFB22BC-E89E-46DF-B8C2-28B1039BC1D4}: NameServer = 199.166.31.3,199.5.157.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6A7DFF8-71C5-4111-AF0F-F78E7EDE6B48}: NameServer = 69.50.176.156,195.225.176.31

Torna in alto

Sponsor

Inviato: Monday, May 30, 2005 5:55:34 PM

Torna in alto

alfonso

Inviato: Monday, May 30, 2005 6:24:43 PM

Rank: AiutAmico

Iscritto dal : 10/5/2000
Posts: 19,132

Ciao ,
esegui queste operazioni

1) Disattiva il ripristino di configurazione, leggi qui come fare
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=257&SH=N

2) riavvia in modalità provvisoria, leggi qui come fare
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=344&SH=N

apri HIJAC THIS ed elimina come indicato in questo articolo
http://www.aiutamici.com/software/descrizione.asp?CodSw=1175
le righe che seguono, (nel caso le righe da eliminare non compaiono in modalità provvisoria, eliminale dalla modalità normale e riavvia il computer).

==================================
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xkwzb.dll/sp.html#83556
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xkwzb.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xkwzb.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xkwzb.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xkwzb.dll/sp.html#83556
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xkwzb.dll/sp.html#83556
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xkwzb.dll/sp.html#83556
-
R3 - Default URLSearchHook is missing
-
O2 - BHO: Class - {4FB1194E-D990-3D10-F676-4013A1C619B5} - C:\WINDOWS\atlyp32.dll
-
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
-
O4 - HKLM\..\Run: [iexplore.exe] c:\programmi\internet explorer\iexplore.exe
O4 - HKLM\..\Run: [netrg.exe] C:\WINDOWS\system32\netrg.exe
O4 - HKLM\..\RunOnce: [appit.exe] C:\WINDOWS\system32\appit.exe
O4 - HKLM\..\RunOnce: [d3pz.exe] C:\WINDOWS\d3pz.exe
O4 - HKLM\..\RunOnce: [apilw32.exe] C:\WINDOWS\system32\apilw32.exe
O4 - HKLM\..\RunOnce: [mspo32.exe] C:\WINDOWS\system32\mspo32.exe
O4 - HKLM\..\RunOnce: [windw32.exe] C:\WINDOWS\windw32.exe
O4 - HKLM\..\RunOnce: [mfcxp.exe] C:\WINDOWS\mfcxp.exe
O4 - HKLM\..\RunOnce: [ntsp.exe] C:\WINDOWS\ntsp.exe
O4 - HKLM\..\RunOnce: [msll32.exe] C:\WINDOWS\system32\msll32.exe
O4 - HKLM\..\RunOnce: [winfi.exe] C:\WINDOWS\system32\winfi.exe
O4 - HKLM\..\RunOnce: [javaga32.exe] C:\WINDOWS\javaga32.exe
O4 - HKLM\..\RunOnce: [atlvs.exe] C:\WINDOWS\system32\atlvs.exe
O4 - HKLM\..\RunOnce: [ntoo32.exe] C:\WINDOWS\ntoo32.exe
O4 - HKLM\..\RunOnce: [ntmn32.exe] C:\WINDOWS\system32\ntmn32.exe
O4 - HKLM\..\RunOnce: [sdkvu.exe] C:\WINDOWS\system32\sdkvu.exe
O4 - HKLM\..\RunOnce: [mfczf32.exe] C:\WINDOWS\system32\mfczf32.exe
O4 - HKLM\..\RunOnce: [atlne.exe] C:\WINDOWS\atlne.exe
O4 - HKLM\..\RunOnce: [apibg32.exe] C:\WINDOWS\apibg32.exe
O4 - HKLM\..\RunOnce: [apiew32.exe] C:\WINDOWS\apiew32.exe
O4 - HKLM\..\RunOnce: [winep.exe] C:\WINDOWS\winep.exe
O4 - HKLM\..\RunOnce: [atlgu.exe] C:\WINDOWS\atlgu.exe
O4 - HKLM\..\RunOnce: [ietw32.exe] C:\WINDOWS\ietw32.exe
O4 - HKLM\..\RunOnce: [appjm32.exe] C:\WINDOWS\appjm32.exe
O4 - HKLM\..\RunOnce: [msxo.exe] C:\WINDOWS\system32\msxo.exe
O4 - HKLM\..\RunOnce: [msrz32.exe] C:\WINDOWS\msrz32.exe
O4 - HKLM\..\RunOnce: [ipcs32.exe] C:\WINDOWS\ipcs32.exe
O4 - HKLM\..\RunOnce: [crgu32.exe] C:\WINDOWS\crgu32.exe
O4 - HKLM\..\RunOnce: [appvj.exe] C:\WINDOWS\appvj.exe
O4 - HKLM\..\RunOnce: [sdkfv.exe] C:\WINDOWS\sdkfv.exe
O4 - HKLM\..\RunOnce: [msjx.exe] C:\WINDOWS\system32\msjx.exe
O4 - HKLM\..\RunOnce: [d3sv.exe] C:\WINDOWS\system32\d3sv.exe
O4 - HKLM\..\RunOnce: [javawx.exe] C:\WINDOWS\javawx.exe
O4 - HKLM\..\RunOnce: [winms32.exe] C:\WINDOWS\system32\winms32.exe
-
O16 - DPF: {00000000-0000-0000-0000-000020040000} - ms-its:mhtml:file://c:\foo.mht!http://67.15.130.39/x3x/itenergy.chm::/dialer.exe
O16 - DPF: {00000000-0023-0000-5400-320020040070} - http://66.240.181.129/gs/gsa0636.exe
-
O16 - DPF: {ADB880A6-D8FF-11CF-9377-00AA003B7A11} (HHCtrl Object) - http://195.225.176.5/d/khmeljb/ecviwiq/ilzgegq/jkrlhq/IT/hhctrl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{6FFB22BC-E89E-46DF-B8C2-28B1039BC1D4}: NameServer = 199.166.31.3,199.5.157.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6A7DFF8-71C5-4111-AF0F-F78E7EDE6B48}: NameServer = 69.50.176.156,195.225.176.31
==================================

Con la funzione TROVA di Windows, cerca ed elimina questi file,

==================================
xkwzb.dll
sp.html
atlyp32.dll
cmd32.exe
internat.dll
netrg.exe
appit.exe
d3pz.exe
apilw32.exe
mspo32.exe
windw32.exe
mfcxp.exe
ntsp.exe
msll32.exe
winfi.exe
javaga32.exe
atlvs.exe
ntoo32.exe
ntmn32.exe
sdkvu.exe
mfczf32.exe
atlne.exe
apibg32.exe
apiew32.exe
winep.exe
atlgu.exe
ietw32.exe
appjm32.exe
msxo.exe
msrz32.exe
ipcs32.exe
crgu32.exe
appvj.exe
sdkfv.exe
msjx.exe
d3sv.exe
javawx.exe
winms32.exe
==================================

Vai a PANNELLO DI CONTROLLO e clicca su OPZIONI INTERNET
nella finestra che si apre clicca i tre pulsanti
ELIMINA COOKIES - ELIMINA FILE - CANCELLA CRONOOLOGIA
poi clicca il pulsante PAGINA PREDEFINITA e su OK

al termine utilizza i programmi AD-AWARE e SPYBOT indicati in questo articolo
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=388&SH=N

sempre in modalità provvisoria fai una scansione Antivirus

quindi riavvia il computer e controlla se il problema e risolto, se e tutto OK riattiva il ripristino configurazione disattivato all'inizio di questa procedura.

Dopo la pulizzia inserisci un nuovo log aggiornato per ulteriore controllo.

<font color=red>Blocco questo forum per la presenza di link che fanno caricare virus, apri un nuovo messaggio per continuare il discorso.</font id=red>

Collaboratore Aiutamici

Torna in alto

Utenti presenti in questo topic

Guest

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » Log di Hijack

Salta al Forum

Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Invia topic via Email

RSS Feed

Watch this topic

Stampa topic

Normale

Threaded