Uso di Hijackthis su WINDOWS XP

[Dom4784]

Salve a tutti!
Ho usato Hijackthis per controllare il mio pc sicuramente pieno di problemi. Vorrei postare il file di log, per chiedervi cosa devo eliminare dal mio pc leggendolo.


Logfile of HijackThis v1.99.1
Scan saved at 20.55.46, on 09/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Eset\nod32kui.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIB EE.EXE
C:\Programmi\IPM\Adsl\DataWay\dslstat.exe
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\system32\hldrrr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\hldrrr.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.seekgooit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [EPSON Stylus DX4000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIB EE.EXE /FU "C:\WINDOWS\TEMP\E_SAB.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Programmi\IPM\Adsl\DataWay\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmi\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Apri in nuova scheda in primo piano - res://C:\Programmi\Windows Live Toolbar\Components\it-it\msntabres.dll.mui/230?b49ae5ba26ea405da3a8485d2d5732a3
O8 - Extra context menu item: Apri in nuova scheda in secondo piano - res://C:\Programmi\Windows Live Toolbar\Components\it-it\msntabres.dll.mui/229?b49ae5ba26ea405da3a8485d2d5732a3
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DCFA797-18B6-4F09-A286-F793DF4E1B0A}: NameServer = 85.37.17.49 85.38.28.91
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe


vi prego aiutatemi!

Grazie

[tecnico24]

ciao,a quanto pare il tuo antivirus,firewall e modalita provvisoria non funzionano.
pulisci il tuo pc cosi':
scarica avenger qui---> http://swandog46.geekstogo.com/avenger.zip
seleziona input script manually e sulla lente di ingrandimento
poi sio apre una finestra Wiev/edit script,fai copia|incolla delle scritte qui sotto



Files to delete:
C:\Documents and Settings\nomeutente\Dati applicazioni\hidires\m_hook.sys
C:\Documents and Settings\nomeutente\Dati applicazioni\hidires\rosa.sys
C:\Documents and Settings\nomeutente\Dati applicazioni\hidires\hidr.exe
c:\WINDOWS\system32\wintems.exe
c:\WINDOWS\system32\hldrrr.exe

folders to delete:
C:\Documents and Settings\nomeutente\Dati applicazioni\hidires
c:\WINDOWS\exefld

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_H OOK
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ros a

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | hldrrr


poi su done,due volte si,riavvia il pc e posta il log che si trova in c:/avenger.txt
ah dimenticavo,sezione sbagliata.probabile che verra spostato in sicurezza percio se non lo trovi qui e in sicurezza pc e virus.

[vercinstex]

ma scusa perchè posti il log qua?
c'è un sito apposta che ti da una valutazione di tutte le voci che ti escono dalla scansione

http://www.hijackthis.de/

a seconda di quello che ti dicono agisci di conseguenza

[Dom4784]

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\mxdnlmhk

*******************

Script file located at: \??\C:\WINDOWS\system32\iutteawt.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open file C:\Documents and Settings\nomeutente\Dati applicazioni\hidires\m_hook.sys for deletion
Deletion of file C:\Documents and Settings\nomeutente\Dati applicazioni\hidires\m_hook.sys failed!

Could not process line:
C:\Documents and Settings\nomeutente\Dati applicazioni\hidires\m_hook.sys
Status: 0xc000003a



Could not open file C:\Documents and Settings\nomeutente\Dati applicazioni\hidires\rosa.sys for deletion
Deletion of file C:\Documents and Settings\nomeutente\Dati applicazioni\hidires\rosa.sys failed!

Could not process line:
C:\Documents and Settings\nomeutente\Dati applicazioni\hidires\rosa.sys
Status: 0xc000003a



Could not open file C:\Documents and Settings\nomeutente\Dati applicazioni\hidires\hidr.exe for deletion
Deletion of file C:\Documents and Settings\nomeutente\Dati applicazioni\hidires\hidr.exe failed!

Could not process line:
C:\Documents and Settings\nomeutente\Dati applicazioni\hidires\hidr.exe
Status: 0xc000003a



File c:\WINDOWS\system32\wintems.exe not found!
Deletion of file c:\WINDOWS\system32\wintems.exe failed!

Could not process line:
c:\WINDOWS\system32\wintems.exe
Status: 0xc0000034

File c:\WINDOWS\system32\hldrrr.exe deleted successfully.


Could not open folder C:\Documents and Settings\nomeutente\Dati applicazioni\hidires for deletion
Deletion of folder C:\Documents and Settings\nomeutente\Dati applicazioni\hidires failed!

Could not process line:
C:\Documents and Settings\nomeutente\Dati applicazioni\hidires
Status: 0xc000003a

Folder c:\WINDOWS\exefld deleted successfully.


Registry key HKLM\SYSTEM\CurrentControlSet\Services\m_hook not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\m_hook failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_H OOK not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_H OOK failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_H OOK
Status: 0xc0000034

Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ros a deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run |hldrrr deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[tecnico24]

ciao,a quanto pare avenger ha eliminato alcune schifezze.per essere sicuri che non ci siano residui di questo virus,procedi cosi:
scarica Elibagla (tool apposito) da qui:
http://www.zonavirus.com/datos/desca...5/elibagla.asp

Assicurati che la casella Eliminar Ficheros Automaticamente sia spuntata

Eseguilo

Ignora eventuali messaggi dell’antivirus

Posta il report dello scan.
comunque in avenger al posto di rosa dovevi mettere il tuo nome account di windows,pero' non fa niente,elibagla risolvera' il problema.

[darkkik]

Spostato in sicurezza.