un amico incauto ha involontariamente visitato un sito porno e ovviamente si č beccato un dialer e una toolbar su explorer (oltre alla homa page cambiata) denominata search toolbar
Io credo di avergli tolto il dialer, ma la barra non sono riuscito ad eliminarla. cosa posso fare?
Ho fatto girare Ad-aware, ha trovato 40 file, ma la barra č rimasta...
chiedi in sicurezza non qui
Heaven's closed. Hell sold out.
Linux 2.6.26-2-amd64
Debian squeeze
Ti sposto nel forum adatto.
posta il log di hijackthis oppure fai una scansione con spybot
In a world without walls and fences, who needs windows and gates?
ragazzi, č successo anche a me, e stavo usando FIrefox.... non so come e cosa sia successo, mi sono trovato delle icone nel desktop e la home page sia di firefox che di IE cambiata (mia pare un casinō on line...)
ecco il log hijack
Logfile of HijackThis v1.97.7
Scan saved at 23.03.01, on 26/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\AVPersonal\AVGUARD.EXE
C:\Programmi\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programmi\Sitecom USB ADSL modem DC-204\CnxDslTb.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\PROGRA~2\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Programmi\AVPersonal\AVGNT.EXE
C:\Programmi\Java\j2re1.4.2_04\bin\jusched.exe
C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Programmi\Microsoft IntelliType Pro\type32.exe
C:\Programmi\Microsoft IntelliPoint\point32.exe
C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
C:\Programmi\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\rundll32.exe
c:\progra~2\intern~1\iexplore.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\eMule\emule.exe
C:\PROGRA~2\THUNDE~1\THUNDE~1.EXE
C:\PROGRA~2\MOZILL~1\FIREFOX.EXE
C:\Programmi\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
f:\Documents and Settings\d@v\Documenti\download\programmi\HijackTh is.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mdrpazblxrpvnoqpplitn.com...7KQvfIl9nk.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.xqutpknmkhn.com/Rlmp1pAk0...N4RSQmioz.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = | ecsplorer pauerd bai d@v
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Programmi\DAP\DAPBHO.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: (no name) - {F2431363-7BEB-9D1B-EFC6-420FF8CA5E44} - C:\PROGRA~2\GREATM~1\BIRD HTM.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Programmi\DAP\DAPIEBar.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Toolbar\01.01.1629.0\it\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Programmi\Sitecom USB ADSL modem DC-204\CnxDslTb.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinVNC] "C:\Programmi\RealVNC\WinVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programmi\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [mmtask] C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [type32] "C:\Programmi\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmi\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Programmi\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [msnappau] "C:\Programmi\MSN Apps\Updater\01.02.0002.1001\it\msnappau.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~2\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AnyDVD] C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programmi\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [litefind] C:\PROGRA~2\4 support\deleteflaw.exe
O4 - HKLM\..\Run: [Memo view chin comp] C:\Documents and Settings\All Users\Dati applicazioni\bibhidememoview\MULTI4.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~2\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programmi\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~2\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Collegamenti a ritroso - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~2\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2683d67659a8412...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094147597899
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/it/bi.../GoogleNav.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.atlanteitaliano.it/ecwplugins/ncs.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.virgilio.it/pctester/fil...ivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E6FBA24-9BEA-44A8-B13A-326E92D2CF19}: NameServer = 62.211.69.150 212.48.4.15
sicuro che ad-aware abbia elimianto tutto? hai aggiornato le sue definizioni prima di lanciare la scansione (icona a forma di globo in alto a destra)? Se non lo hai fatto ti consiglio di riprovare prima di fare qualsiasi altra cosa.
In ogni caso le seguenti voci secondo me sarebbero da togliere:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mdrpazblxrpvnoqpplitn.co...l
9nk.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.xqutpknmkhn.com/ Rlmp1pA...dN4RSQmioz.html
O2 - BHO: (no name) - {F2431363-7BEB-9D1B-EFC6-420FF8CA5E44} - C:\PROGRA~2\GREATM~1\BIRD HTM.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [litefind] C:\PROGRA~2\4 support\deleteflaw.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~2\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
Leggi il REGOLAMENTO!
E' molto complicato, un mucchio di input e output, una quantitā di informazioni, un mucchio di elementi da considerare, ho una quantitā di elementi da tener presente...
Drugo
oggi ho scaricato la nuova versione di ad aware, avevo 232 file "sensibili"... perō č successa una cosa altamente strana e preoccupante: mi č apparsa la finestra del RPC che dopo un minuto mi ha spento il computer (con conto alla rovescia) come faceva quel virus di un anno fa... Ho fatto partire l'antivirus (AntiVir PE) e non ha trovato niente (č aggiornatissimo). Poi ho tolto quelle cose di hijack... ora vedo se funziona tutto perfettamente
ok, tutto va bene ora
perō č rimasta la toolbar di qualche sito...
e msn non si connette perchč explorer č in modalitā non in linea (mentre sono in linea con firefox..)
Ecco, una toolbar su exploder, e un'altra barra di non so che sopra la taskbar...
Ho provato di tutto: Spybot, Ad ware, hijack, cwshredder... niente!!!
prova a disinstallare Messenger Plus! 3
Permessi di invio
Rispondi quotando