Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

ho mica un virus...?? Opzioni
giusi75
Inviato: Tuesday, March 26, 2024 11:42:20 AM
Rank: AiutAmico

Iscritto dal : 8/19/2015
Posts: 245
fatto ecco il nuovo log,
a questo punto dopo varie scans anche in safe mode con malwarebytes,8 ore, e set , f secure e macafee stinger il pc è pulito...ma...
la finestra che ciede l'account ms allo start del pc oppure ogni volta che explorer.exe si chiude e si riapre
mi compare sempre...
ecco il log hijack:

Logfile of HiJackThis Fork by Alex Dragokas v.2.10.0.13

Platform: x64 Windows 10 (Home), 10.0.19045.4170 (ReleaseId: 2009, 22H2), Service Pack: 0
Time: 26.03.2024 - 11:39 (UTC+01:00)
Language: OS: Italian (0x410). Display: Italian (0x410). Non-Unicode: Italian (0x410)
Elevated: Yes
Ran by: Luca (group: Administrators) on PC, FirstRun: no

Chrome: 115.0.5790.171
Firefox: 124.0.0.8836
Internet Explorer: 11.0.19041.3636
Default: "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "%1" (Firefox)

Boot mode: Normal

Running processes:
Number | Path
1 C:\Program Files (x86)\AOMEI\AOMEI Backupper\7.3.3\ABService.exe
1 C:\Program Files (x86)\Softland\FBackup 9\bService.exe
1 C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
1 C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
1 C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
6 C:\Users\Luca\AppData\Local\Programs\Python\Python38\python.exe
2 C:\Windows\explorer.exe
1 C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
1 C:\Windows\System32\AggregatorHost.exe
1 C:\Windows\System32\audiodg.exe
2 C:\Windows\System32\conhost.exe
2 C:\Windows\System32\csrss.exe
1 C:\Windows\System32\ctfmon.exe
1 C:\Windows\System32\dasHost.exe
2 C:\Windows\System32\dllhost.exe
1 C:\Windows\System32\dwm.exe
2 C:\Windows\System32\fontdrvhost.exe
1 C:\Windows\System32\igfxCUIService.exe
1 C:\Windows\System32\igfxHK.exe
1 C:\Windows\System32\igfxTray.exe
1 C:\Windows\System32\lsass.exe
1 C:\Windows\System32\rundll32.exe
4 C:\Windows\System32\RuntimeBroker.exe
1 C:\Windows\System32\SearchIndexer.exe
1 C:\Windows\System32\SecurityHealthService.exe
1 C:\Windows\System32\services.exe
1 C:\Windows\System32\SgrmBroker.exe
1 C:\Windows\System32\sihost.exe
1 C:\Windows\System32\smartscreen.exe
1 C:\Windows\System32\smss.exe
1 C:\Windows\System32\snmptrap.exe
1 C:\Windows\System32\spoolsv.exe
75 C:\Windows\System32\svchost.exe
2 C:\Windows\System32\taskhostw.exe
1 C:\Windows\System32\wbem\WmiPrvSE.exe
1 C:\Windows\System32\wininit.exe
1 C:\Windows\System32\winlogon.exe
1 C:\Windows\System32\WUDFHost.exe
1 C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
1 C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
1 C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
1 D:\DESKTOP\ANTIVIRUS\HiJackThis_2.10.0.13\HiJackThis_2.10.0.13.exe
19 D:\DESKTOP\BROWSERS\FIREFOX\FirefoxPortable\App\Firefox64\firefox.exe
1 D:\DESKTOP\BROWSERS\FIREFOX\FirefoxPortable\FirefoxPortable.exe
1 D:\DESKTOP\BROWSERS\Windscribe\WindscribeService.exe
1 G:\back up 29.04.2010\C\Documents and Settings\Administrator\Dati applicazioni\qBittorrent-4.5.2\App\qBittorrent\qbittorrent.exe
1 G:\back up 29.04.2010\C\Documents and Settings\Administrator\Dati applicazioni\qBittorrent-4.5.2\qBittorrentPortable.exe
1 N:\DESKTOP\PC\Dns\dnscrypt-proxy\dnscrypt-proxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main: [Start Page] = http://libero.it/
O4 - HKCU\..\StartupApproved\StartupFolder: C:\Users\Luca\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hpqtra08.exe -> (PE EXE) (2023/03/10)
O4 - HKLM\..\StartupApproved\Run: [MouseDriver] = C:\WINDOWS\system32\TiltWheelMouse.exe (2020/06/19)
O4 - HKLM\..\StartupApproved\Run: [RTHDVCPL] = C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s (2022/11/27)
O4 - HKLM\..\StartupApproved\Run: [SafeDiveCertMgm] = C:\WINDOWS\system32\rundll32.exe stCNSUtil.dll,DeleteCertStore (2022/02/21)
O4 - HKLM\..\StartupApproved\Run32: [IDProtect Monitor] = C:\Program Files (x86)\Athena\IDProtect Client\Utils\IDProtect Monitor.exe (2020/06/27)
O5 - Applet: C:\WINDOWS\System32\RTSnMg64.cpl (Sign: 'Realtek Semiconductor Corp')
O17 - DHCP DNS 1: 127.0.0.1
O17 - DHCP DNS 2: 9.9.9.9 (Well-known DNS: Quad9)
O17 - HKLM\System\CCS\Services\Tcpip\..\{3b997113-d581-4c48-9a3c-6a5f7a071715}: [NameServer] = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{3b997113-d581-4c48-9a3c-6a5f7a071715}: [NameServer] = 9.9.9.9 (Well-known DNS: Quad9)
O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Agent Activation Runtime (empty)
O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\HP (empty)
O22 - Task: (disabled) \Microsoft\Windows\Management\Autopilot\DetectHardwareChange - {62B2DD2C-F129-42EE-BF59-55D3FD21C215},DetectHardwareChange - C:\Windows\System32\Autopilot.dll (Microsoft)
O22 - Task: (disabled) \Microsoft\Windows\Management\Autopilot\RemediateHardwareChange - {62B2DD2C-F129-42EE-BF59-55D3FD21C215},RemediateHardwareChange - C:\Windows\System32\Autopilot.dll (Microsoft)
O22 - Task: (disabled) \Microsoft\Windows\Management\Provisioning\Retry - C:\WINDOWS\system32\ProvTool.exe /turn 5 /source ProvRetryTask (Microsoft)
O22 - Task: (disabled) \Microsoft\Windows\Management\Provisioning\RunOnReboot - C:\WINDOWS\system32\ProvTool.exe /turn 5 /source ContinueSessionTask (Microsoft)
O22 - Task: (disabled) \Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work - C:\WINDOWS\system32\usoclient.exe StartMaintenanceWork (Microsoft)
O22 - Task: (disabled) \Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work - C:\WINDOWS\system32\usoclient.exe StartWork (Microsoft)
O22 - Task: (disabled) CIE Middleware Update - C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\CIEPKI.dll",Update
O22 - Task: (telemetry) \Microsoft\Windows\Application Experience\PcaPatchDbTask - C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\PcaSvc.dll,PcaPatchSdbTask (Microsoft)
O22 - Task: \Microsoft\Windows\AppListBackup\BackupNonMaintenance - {E0DCC2CC-3354-45F2-8914-519E07809082} - C:\WINDOWS\system32\AppListBackupLauncher.dll (Microsoft)
O22 - Task: \Microsoft\Windows\AppxDeploymentClient\UCPD velocity - C:\WINDOWS\system32\UCPDMgr.exe (Microsoft)
O22 - Task: \Microsoft\Windows\ConsentUX\UnifiedConsent\UnifiedConsentSyncTask - {82aa0895-198a-4c1b-b2d1-c16894218afb} - C:\WINDOWS\System32\unifiedconsent.dll (Microsoft)
O22 - Task: \Microsoft\Windows\PI\SecureBootEncodeUEFI - C:\WINDOWS\system32\SecureBootEncodeUEFI.exe (Microsoft)
O22 - Task: \Microsoft\Windows\SMB\UninstallSMB1ClientTask - C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client"
O22 - Task: \Microsoft\Windows\SMB\UninstallSMB1ServerTask - C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Server"
O22 - Task: \Microsoft\Windows\WindowsUpdate\Refresh Group Policy Cache - {07369A67-07A6-4608-ABEA-379491CB7C46} - C:\Windows\System32\UpdatePolicy.dll (Microsoft)
O22 - Task: \Microsoft\Windows\WindowsUpdate\RUXIM\PLUGScheduler - C:\Program Files\RUXIM\PLUGscheduler.exe (file missing)
O22 - Task: \Mozilla\Firefox Background Update 308046B0AF4A39CB - C:\Program Files\Mozilla Firefox\firefox.exe --MOZ_LOG sync,prependheader,timestamp,append,maxsize:1,Dump:5 --MOZ_LOG_FILE C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate.moz_log --backgroundtask backgroundupdate
O22 - Task: \Mozilla\Firefox Background Update S-1-5-21-875700017-217750280-4135200879-1001 308046B0AF4A39CB - C:\Program Files\Mozilla Firefox\firefox.exe --MOZ_LOG sync,prependheader,timestamp,append,maxsize:1,Dump:5 --MOZ_LOG_FILE C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate.moz_log --backgroundtask backgroundupdate
O22 - Task: \Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB - C:\Program Files\Mozilla Firefox\default-browser-agent.exe do-task "308046B0AF4A39CB"
O22 - Task: \Softland\FBackup 9\fba_Desktop Backup - C:\Program Files (x86)\Softland\FBackup 9\bSchedStarter.EXE /HIDE /R "{35B1880B-8428-46F8-ADD4-B5FC1D5CC6E1}" -PRIORITY 2
O22 - Task: OneDrive Standalone Update Task-S-1-5-21-1915721136-1638656335-3578974293-500 - C:\Users\Luca\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe (file missing)
O23 - Service R2: AOMEI Backupper Scheduler Service - (Backupper Service) - C:\Program Files (x86)\AOMEI\AOMEI Backupper\7.3.3\ABService.exe
O23 - Service R2: Diskeeper - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service R2: DNSCrypt client proxy - (dnscrypt-proxy) - N:\DESKTOP\PC\Dns\dnscrypt-proxy\dnscrypt-proxy.exe -config dnscrypt-proxy.toml
O23 - Service R2: FBackup 9 Service - (FBackup9Srv) - C:\Program Files (x86)\Softland\FBackup 9\bService.exe -name:"FBackup9Srv" -disp:"FBackup 9 Service"
O23 - Service R2: Intel(R) HD Graphics Control Panel Service - (igfxCUIService2.0.0.0) - C:\WINDOWS\system32\igfxCUIService.exe
O23 - Service R2: Malwarebytes Service - (MBAMService) - C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
O23 - Service R2: Net Driver HPZ12 - C:\WINDOWS\System32\svchost.exe -k HPZ12; "ServiceDll" = C:\Windows\System32\HPZinw12.dll
O23 - Service R2: Pml Driver HPZ12 - C:\WINDOWS\System32\svchost.exe -k HPZ12; "ServiceDll" = C:\Windows\System32\HPZipm12.dll
O23 - Service R2: Windscribe Service - (WindscribeService) - D:/DESKTOP/BROWSERS/Windscribe/WindscribeService.exe
O23 - Service S2: Servizio di rilevamento dispositivi HP CUE - (hpqddsvc) - C:\WINDOWS\system32\svchost.exe -k hpdevmgmt; "ServiceDll" = C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll (file missing)
O23 - Service S3: Intel(R) Content Protection HECI Service - (cphs) - C:\WINDOWS\SysWow64\IntelCpHeciSvc.exe
O23 - Service S3: Mozilla Maintenance Service - (MozillaMaintenance) - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service S3: ProtonVPN Service - C:\Program Files\Proton\VPN\v3.2.10\ProtonVPNService.exe
O23 - Service S3: ProtonVPN WireGuard - C:\Program Files\Proton\VPN\v3.2.10\ProtonVPN.WireGuardService.exe "C:\Program Files\Proton\VPN\v3.2.10\ServiceData\WireGuard\ProtonVPN.conf"
O23 - Service S3: VirtualBox system service - (VBoxSDS) - c:\myVirtualBox\VBoxSDS.exe
O23 - Service S3: Wondershare Application Framework Service - (WsAppService) - C:\Program Files (x86)\Wondershare\WAF\2.4.3.225\WsAppService.exe
O23 - Service S3: Wondershare Install Assist Service - (Wondershare InstallAssist) - C:\ProgramData\Wondershare\Service\InstallAssistService.exe


--
End of file - Time spent: 9,8 sec. - 21898 bytes, CRC32: FFFFFFFF. Sign: 豮
syslack
Inviato: Tuesday, March 26, 2024 2:35:58 PM
Rank: Member

Iscritto dal : 2/11/2024
Posts: 23
Cerca nel task manager se in "Servizi" è attivo "wlidsvc - Microsoft Account Sign-in Assistant", eventualmente disattivalo e prova a riavviare il PC.
giusi75
Inviato: Wednesday, March 27, 2024 10:26:32 AM
Rank: AiutAmico

Iscritto dal : 8/19/2015
Posts: 245
syslack ha scritto:
Cerca nel task manager se in "Servizi" è attivo "wlidsvc - Microsoft Account Sign-in Assistant", eventualmente disattivalo e prova a riavviare il PC.


ottimo, grazie syslack
in effetti così sparisce la schermata di richiesta password di account ms
ma però c'e' sempre una finestra blu in cui c'e' una scritta:


rimane qualche secondo e poi scomapare...
come si fa a non avere neppure questa immagine?
perchè a quuanto ho capito ci deve essere una qualche app o servizio ms che da qualche settimana all'accesso del pc oppure alla chiusura e riapertura di explorer.exe
vorrebbe il log in all'account di ms
quindi credo che disabilitando il wlidsvc abbiamo eliminato gli effetti...
ma non abbiamo arrestato la causa
ecco io vorrei che non apparisse neppure la immagine che ho postato
perchè fino a qualche settimana fa non appariva
in sostanza vorrei fermarne la causa
grazie ancora per l'attenzione ed aiuto
giusi75
Inviato: Saturday, March 30, 2024 10:03:22 AM
Rank: AiutAmico

Iscritto dal : 8/19/2015
Posts: 245
...e qui è cascato l'asino...:
disabilitando il wlidsvc abbiamo eliminato gli effetti...
ma non abbiamo arrestato la causa
Utenti presenti in questo topic
Guest


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.