log file hjackthis

**andreacsr** · 10-07-2004, 11:04

Ciao a tutti.
Ho appena installato HjackThis e fatto una scansione
Potreste dare uno sguardo al log file?

Logfile of HijackThis v1.98.0
Scan saved at 10.56.38, on 10/07/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\win.exe
C:\Programmi\Winamp\winampa.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\win.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\andrea\Desktop\prova\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:/www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/w/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/w/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/w/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\andrea\Dati applicazioni\winshow\winshow.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programmi\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [agg] win.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [eDonkey2000] C:\Programmi\eDonkey2000\eDonkey2000.exe -t
O4 - HKLM\..\Run: [Overnet] C:\Programmi\Overnet\eDonkey2000.exe -t
O4 - HKLM\..\RunServices: [agg] win.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [agg] win.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV0 3.EXE
O9 - Extra button: SkinUp! - {1537a110-bb98-22c1-7342-12d0372a27d1} - c:\programmi\chbar\skinup.exe (file missing)
O9 - Extra 'Tools' menuitem: Cambia S&kin! - {1537a110-bb98-22c1-7342-12d0372a27d1} - c:\programmi\chbar\skinup.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.accessoveloce.com/k/x/krescp19x.exe
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{1339F03E-0AB2-4767-91DE-C98BEF47DCC4}: NameServer = 62.211.69.150 212.48.4.15
O17 - HKLM\System\CS1\Services\Tcpip\..\{1339F03E-0AB2-4767-91DE-C98BEF47DCC4}: NameServer = 62.211.69.150 212.48.4.15

grazie1000

**amvinfe** · 10-07-2004, 14:48

Scaricati
AdAware

e CWShredder

Riavvia in modalità provvisoria (è importante), apri HJT fai una nuova scansione e metti la spunta al fianco delle seguenti voci, clicca su Fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:/www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/w/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/w/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/w/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\andrea\Dati applicazioni\winshow\winshow.dll (file missing)
O4 - HKLM\..\Run: [agg] win.exe
O4 - HKLM\..\RunServices: [agg] win.exe
O4 - HKCU\..\Run: [agg] win.exe
O9 - Extra button: SkinUp! - {1537a110-bb98-22c1-7342-12d0372a27d1} - c:\programmi\chbar\skinup.exe (file missing)
O9 - Extra 'Tools' menuitem: Cambia S&kin! - {1537a110-bb98-22c1-7342-12d0372a27d1} - c:\programmi\chbar\skinup.exe (file missing)
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.accessoveloce.com/k/x/krescp19x.exe

sempre dalla provvisoria cerca ed elimina il file
C:\WINDOWS\system32\win.exe <===il file

Apri, sempre dalla modalità provvisoria, AdAware e settalo così:

Dalla finestra principale del programma portati in alto e clicca sull'icona Configurazione (icona ingranaggio), troverai 4 voci metti la spunta selle ultime tre (devono diventare verdi)
1) salva log file
2) in quarantena prima di rimuovere
3) Modo sicuro
Ora clicca su Personalizza (sempre dalla stessa finestra)
Metti la spunta su "Usa la mia configurazione di default" e clicca al suo fianco su Personalizza
Metti la spunata su
"Controlla all'interno delle cartelle"
Nella parte "Memoria & Registro" metti la spunta a tutte e 5 le voci (devono sempre diventare verdi)
Clicca su Continua (in basso)
Ora clicca con tutte le applicazioni chiuse, su Inizio (in basso a dx) e poi su Avanti.
Finita la scansione elimina tutti i valori in rosso che AdAware ti ha trovato, riavvia il pc in modalità normale.

Apri CWShredder e clicca su Fix. Riavvia il pc.

Fai una nuova scansione con HJT e posta il Log.
P.S.
Ovviamente prima di fare la scansione con AdAware assicurati d'avere le definizioni aggiornate. Per verificarlo apri AdAware e dalla finestra principale controlla il n° del Reffile e la data, mentre sto scrivendo il Reffile è dell'8.7.04

**andreacsr** · 10-07-2004, 16:24

Fatto!

Logfile of HijackThis v1.98.0
Scan saved at 16.15.58, on 10/07/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Programmi\AVPersonal\AVGNT.EXE
C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Programmi\Winamp\winampa.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\eDonkey2000\eDonkey2000.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\andrea\Desktop\prova\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programmi\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [eDonkey2000] C:\Programmi\eDonkey2000\eDonkey2000.exe -t
O4 - HKLM\..\Run: [Overnet] C:\Programmi\Overnet\eDonkey2000.exe -t
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV0 3.EXE
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

come va ora?

**andreacsr** · 10-07-2004, 16:30

Originariamente inviato da amvinfe
sempre dalla provvisoria cerca ed elimina il file
C:\WINDOWS\system32\win.exe <===il file

P.S.
ho eliminato quel file dalla cartella system32, però se faccio una ricerca del file win.exe nel sistema me lo trova ancora in queste due cartelle:
C:\
C:\Documents and Settings\andrea

è normale??

**amvinfe** · 10-07-2004, 18:23

vai a questo indirizzo

http://virusscan.jotti.dhs.org/

fai la scansione dei due singoli file e fammi sapere

**andreacsr** · 10-07-2004, 19:34

VVoVe:

VVoVe:

Service load:
0% 100%
File: win.exe
Status:
INFECTED/MALWARE

AntiVir
No viruses found (1.22 seconds taken)
BitDefender
No viruses found (3.36 seconds taken)
ClamAV
No viruses found (4.99 seconds taken)
F-Prot Antivirus
No viruses found (1.18 seconds taken)
F-Secure Anti-Virus
Backdoor.SdBot.gen (4.32 seconds taken)
Kaspersky Anti-Virus
Backdoor.SdBot.gen (4.17 seconds taken)
McAfee VirusScan
No viruses found (6.35 seconds taken)
Norman Virus Control
Sandbox: W32/Malware; [ General information ]

* File length: 94116 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\win.exe.

[ Changes to registry ]
* Creates value "agg"="win.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n".
* Creates value "agg"="win.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ru nServices".
* Creates value "agg"="win.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Ru n".

[ Network services ]
* Attempts to resolve name "irc.tin.it".
* Connect port 6667 [TCP], IP 193.75.75.100.
* Connects to IRC Server.
* Connect port 113 [IP], IP 0.0.0.0.

[ Process/window information ]
* Creates a mutex AgCrew. (17.03 seconds taken)

**amvinfe** · 12-07-2004, 00:02

infatti era quello che immaginavo, elimina tutto

**andreacsr** · 12-07-2004, 10:44

può essere che per colpa di quel virus ora veda tutte le scritte del sistema operativo e dei programmi (nomi delle cartelle, voci del menu ecc) in grassetto??

**amvinfe** · 12-07-2004, 17:24

lo escludo

Discussione: log file hjackthis

Strumenti discussione

Ricerca discussione

Visualizza

log file hjackthis

Permessi di invio