Problema con coolweb

[mciofa]

problema con coolweb
il computer di un amico ha il malware coolweb search.
Vi posto un log di HijackThis:




Logfile of HijackThis v1.97.7
Scan saved at 22.39.11, on 15/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Programmi\D-Tools\daemon.exe
C:\Programmi\Java\j2re1.4.2_01\bin\jusched.exe
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\System32\rmctrl.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
G:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.alcatel.com/consumer/dsl/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AE48CA5D-7FE7-4D7F-8EAF-20F9D7E7B011} - C:\WINDOWS\System32\ookecc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmi\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] C:\Programmi\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: QuickTV.lnk = C:\Programmi\AVERTV2K\QuickTV.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C6BF512-8EB7-4AD9-85F2-1B552C52CD56}: NameServer = 151.99.0.100 212.216.172.62
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C6BF512-8EB7-4AD9-85F2-1B552C52CD56}: NameServer = 151.99.0.100 212.216.172.62




Spero che qualcuno riesca a darmi una mano....


Grazie Ciao

[netquik]

allora...

prima di tutto prova con le maniere gentili

aggiorna ad-aware e prcurati cwshredder ultima versione


riavvia in provvisioria e fixa


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank

O2 - BHO: (no name) - {AE48CA5D-7FE7-4D7F-8EAF-20F9D7E7B011} - C:\WINDOWS\System32\ookecc.dll

la riga o10 non è da fixare
è un falso problema dovuto a NOD32


ora sempre da provvisoria prova ad eliminare almeno
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
o nel caso svuota la cartella TEMP
e
C:\WINDOWS\System32\ookecc.dll

ora fai delle passate con cwshredder e adware
settato così http://forum.hwupgrade.it/showthread...hreadid=728094

[netquik]

ho anche notato che usi la versione vecchia di Hijack

scaricati la nuova e poi posta il nuovo log

[mciofa]

Perfetto!!!!!



Non ci posso credere!!!!
Sei un grande Netquik!

[netquik]

prima di esultare aspettiamo un pò...

questi maledetti si insediano come la muffa in frigorifero guasto...


speriamo comunque sia tutto a posto..

magari posta il nuovo log di HijackThis...

ciauz