posto un log di hijack

**ascaso** · 15-07-2004, 15:46

Logfile of HijackThis v1.97.7
Scan saved at 15.33.30, on 15/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\Winamp\winampa.exe
C:\DOCUME~1\Enrico\IMPOST~1\Temp\57.tmp.exe
C:\WINDOWS\system32\wintime.exe
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\atalmv.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Documents and Settings\Enrico\Dati applicazioni\apaa.exe
C:\WINDOWS\system32\explorer.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\azmzl.exe
G:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Enrico\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Enrico\IMPOST~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Enrico\IMPOST~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Enrico\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Enrico\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Enrico\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Alice
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {3BFC1370-E06F-3CC2-D351-6C5579A62A6C} - C:\WINDOWS\System32\tjmyfx.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {72B2E989-16F3-44E9-A6E0-DBE71E47DE97} - C:\WINDOWS\System32\ojep.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll (file missing)
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\qbtvdz.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\mypfq.exe
O4 - HKLM\..\Run: [[Ephemeral 2.4] by TreeHugger, ] C:\DOCUME~1\Enrico\IMPOST~1\Temp\57.tmp.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [hsapheadazmgz] C:\WINDOWS\System32\fqvlxw.exe
O4 - HKLM\..\Run: [atalmv] C:\WINDOWS\atalmv.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\svchost.exe 0
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Puut] C:\Documents and Settings\Enrico\Dati applicazioni\apaa.exe
O4 - HKCU\..\Run: [Zchbeir] C:\WINDOWS\System32\azmzl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Alice (HKCU)
O12 - Plugin for .mov: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://gw.aliceadsl.it/home
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://213.159.117.150:80/iex/ofile....80/dexIT10.exe
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://213.159.117.133/dl/adv65/x.chm::/load.exe
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/200...Inc/bridge.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...174.6667939815

SCUSATE LA VELOCITA' MA L'INTRUSO NON MI PERMETTE DI STARE TROPPO IN INTERNET..OGNI VOLTA DEVO REISTALLARE IL MODEM

**ascaso** · 15-07-2004, 15:47

La pagina iniziale che indirizza il browser è http://213.159.117.134/index.php

**ascaso** · 15-07-2004, 15:49

Naturalmente vi chiedevo quali processi interrompere...

**amvinfe** · 15-07-2004, 16:48

è un campo da battagila

inizia a fare una scansione online e ad eliminare tutto ciò che viene trovato infetto e ti assicuro che non sarà poco

Riavvia il pc fai una nuova scansione con HijackThis e posta il nuovo log.

http://support.f-secure.com/enu/home/ols.shtml

**ascaso** · 15-07-2004, 19:53

Rispondo solo ora perchè come ti ho già detto nell'altro post
il pc non è il mio...
Il problema che è proprio impossibile rimanere connessi..ogno volta devo reinstallare Alice ed il modem per avere 3 minuti di connessione!
//213.159.117.134/index.php questa è la pagina incriminata e so già che è lei l'intrusa generatrice.
Ma mome è stato possibile prenderee sta roba con NA2004 aggiornato? Vengono da script nelle pagine di certi sitacci?
ora capisco il w32sassere che entrava dalla porta ma così non è possibile prendere i virus cavoli!
Se non ce proprio una soluzione alternativa, io formatterei..tanto di dati c'è da backuppare solo 550 mb di roba!
Grazie sei stato molto gentile!

**amvinfe** · 16-07-2004, 00:37

scaricati questi programmi

AdAware lo trovi nel 3d -links utili- in Rilievo, trovi anche le spiegazioni per settarlo

CWShredder anche questo lo trovi nella stessa sezione

sphjfix metti questo file all'interno di una nuova cartella.

Apri sphjfix clicca su "start disinfection" riavvia il pc e ripeti l'operazione

Riavvia in modalità provvisoria apri HJT e metti la spunta alle seguenti voci, clicca su Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Enrico\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Enrico\IMPOST~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Enrico\IMPOST~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Enrico\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Enrico\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Enrico\IMPOST~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {3BFC1370-E06F-3CC2-D351-6C5579A62A6C} - C:\WINDOWS\System32\tjmyfx.dll
O2 - BHO: (no name) - {72B2E989-16F3-44E9-A6E0-DBE71E47DE97} - C:\WINDOWS\System32\ojep.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll (file missing)
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll (file missing)
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\qbtvdz.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\mypfq.exe
O4 - HKLM\..\Run: [[Ephemeral 2.4] by TreeHugger, ] C:\DOCUME~1\Enrico\IMPOST~1\Temp\57.tmp.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [hsapheadazmgz] C:\WINDOWS\System32\fqvlxw.exe
O4 - HKLM\..\Run: [atalmv] C:\WINDOWS\atalmv.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\svchost.exe 0
O4 - HKCU\..\Run: [Puut] C:\Documents and Settings\Enrico\Dati applicazioni\apaa.exe
O4 - HKCU\..\Run: [Zchbeir] C:\WINDOWS\System32\azmzl.exe
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://213.159.117.150:80/iex/ofile...:80/dexIT10.exe
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://213.159.117.133/dl/adv65/x.chm::/load.exe
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/20...TInc/bridge.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

Sempre dalla provvisoria elimina, se ancora presenti, i files:

C:\WINDOWS\twaintec.dll
C:\WINDOWS\System32\tjmyfx.dll
C:\WINDOWS\System32\ojep.dll
C:\WINDOWS\questmod.dll
C:\WINDOWS\System32\qbtvdz.exe
C:\WINDOWS\System32\mypfq.exe
C:\DOCUME~1\Enrico\IMPOST~1\Temp\57.tmp.exe
C:\WINDOWS\system32\wintime.exe
C:\WINDOWS\system32\explorer.exe fai attenzione all'esatto percorso!!!
C:\WINDOWS\System32\msrexe.exe
C:\WINDOWS\Downloaded Program Files\bridge.dll
C:\WINDOWS\System32\fqvlxw.exe
C:\WINDOWS\atalmv.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\WINDOWS\svchost.exe
C:\Documents and Settings\Enrico\Dati applicazioni\apaa.exe
C:\WINDOWS\System32\azmzl.exe

Trova ed elimina da C:\Program Files la cartella
C:\Program Files\WindowsSA \omniscient.exe

Sempre dalla provvisoria apri AdAware, settalo come descritto nel 3d in cui l'hai scaricato e fai una scansione, rimuovi tutto ciò che ti ha trovato.

Apri CWShredder e clicca su Fix

Riavvia il pc, fai un nuovo log con HJT e postalo

Discussione: posto un log di hijack

Strumenti discussione

Ricerca discussione

Visualizza

posto un log di hijack

AGGIUNGO

scusate ancora..

grazie

Permessi di invio