Aiutamici Forum
Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » Rompiscatole (adware?) nel pc.

Rompiscatole (adware?) nel pc. Opzioni
Topic Precedente · Topic Sucessivo
bbrun
Inviato: Monday, May 30, 2022 6:28:31 PM
Rank: AiutAmico

Iscritto dal : 3/14/2005
Posts: 978
Su consiglio di Wolfstein metto il mio messaggio qui.

Dopo tutto l'Ambaradam l'intruso è scomparso all'80% ma non è debellato, ogni tanto riappare.

Ecco qui il mattone:

Salve, nel mio pc è apparso improvvisamente "Captchatest.top", che mi segnala con insistenza che nel mio pc è entrato un virus, l'antivirus è disattivato, il sistema è danneggiato, scansiona, elimina virus, installa tizio caio e sempronio, clicca qui e là e altre menate del genere, ovviamente non ho cliccato su nulla, probabilmente si tratta di un adware.

In rete ho trovato un mare di cose su "Captchaqualcosa", ma nulla su "Captchatest.top".

Sono ricorso alla guida di Giza e ho usato Malwarebytes, lancio la scansione e MB trova C:\Programfiles(x86)\Windows live\Photogallery\Winmoviemaker.exe classificato come "Generic malware suspicious", solo questo, forse è un falso positivo ma lo metto in quarantena.

Parto con AdwCleaner
Commenta:
# -------------------------------
# Malwarebytes AdwCleaner 8.3.2.0
# -------------------------------
# Build: 03-23-2022
# Database: 2022-03-15.3 (Local)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start: 05-30-2022
# Duration: 00:00:15
# OS: Windows 10 Enterprise LTSC 2019
# Scanned: 32039
# Detected: 5


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

PUP.Optional.Legacy C:\ProgramData\BSD\DriverHiveEngine
PUP.Optional.TweakBit C:\ProgramData\BSD\DriverHive

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.DriverUpdatePlus HKLM\Software\Wow6432Node\BSD
PUP.Optional.FreeMakeConverter HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32|ProductUpdater
PUP.Optional.FreeMakeConverter HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Run|ProductUpdater

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

No Preinstalled Software found.


AdwCleaner[S00].txt - [1622 octets] - [24/04/2022 11:33:26]
AdwCleaner_Debug.log - [5862 octets] - [24/04/2022 11:34:43]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S01].txt ##########

Metto in quarantena quello che trova.

Scarico e lancio Rkill
Commenta:
Rkill 2.9.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2022 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 05/30/2022 12:26:28 PM in x64 mode.
Windows Version: Windows 10 Enterprise LTSC 2019

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001


Ma perché Defender viene disabilitato?

Eseguo Hijackthis.
Commenta:

Log of HiJackThis Fork by Alex Dragokas v.2.9.0.26

Platform: x64 Windows 10 (Enterprise LTSB), 10.0.17763.2989 (ReleaseId: 1809), Service Pack: 0
Time: 30.05.2022 - 12:38 (UTC+02:00)
Language: OS: Italian (0x410). Display: Italian (0x410). Non-Unicode: Italian (0x410)
Elevated: No
Ran by: bbrun (group: Limited User) on DESKTOP-OQIHHIQ, FirstRun: yes

Internet Explorer: 11.1790.17763.0
Default: "E:\USB\Vivaldi\Application\vivaldi.exe" --single-argument %1 (Vivaldi S [E:\USB\Vivaldi])

Boot mode: Normal

Running processes:
Number | Path
1 C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
1 C:\Users\bbrun.DESKTOP-OQIHHIQ\Desktop\PortableApps\HiJackThis\HiJackThis.exe
1 C:\WINDOWS\System32\Wbem\WmiPrvSE.exe
1 C:\WINDOWS\system32\SearchIndexer.exe
1 C:\WINDOWS\system32\SecurityHealthService.exe
1 C:\WINDOWS\system32\SgrmBroker.exe
2 C:\WINDOWS\system32\csrss.exe
1 C:\WINDOWS\system32\dasHost.exe
1 C:\WINDOWS\system32\dwm.exe
2 C:\WINDOWS\system32\fontdrvhost.exe
1 C:\WINDOWS\system32\lsass.exe
1 C:\WINDOWS\system32\services.exe
1 C:\WINDOWS\system32\smss.exe
1 C:\WINDOWS\system32\spoolsv.exe
62 C:\WINDOWS\system32\svchost.exe
1 C:\WINDOWS\system32\wininit.exe
1 C:\WINDOWS\system32\winlogon.exe
1 C:\Windows\System32\ApplicationFrameHost.exe
2 C:\Windows\System32\RuntimeBroker.exe
1 C:\Windows\System32\ctfmon.exe
2 C:\Windows\System32\notepad.exe
1 C:\Windows\System32\sihost.exe
1 C:\Windows\System32\smartscreen.exe
1 C:\Windows\System32\taskhostw.exe
1 C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
1 C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
1 C:\Windows\explorer.exe
1 MBAMService.exe
2 NVDisplay.Container.exe
1 Registry

R3 - HKU\S-1-5-21-3234073230-3742036366-1949944855-1002: Default URLSearchHook is missing
O2 - HKLM\..\BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files (x86)\Epson Software\Easy Photo Print\EPTBL.dll
O3 - HKLM\..\Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files (x86)\Epson Software\Easy Photo Print\EPTBL.dll
O4 - Global User Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Memorandum - coll..lnk -> E:\VARIE\Documenti vari\Come fare a\Memorandum.txt
O4 - HKCU\..\Run: [EssentialPIM Portable] = F:\USB\EssentialPIM_AUP\EssentialPIM.exe /autorun
O4 - HKLM\..\Run: [CmPCIaudio] = C:\WINDOWS\syswow64\RunDll32.exe C:\WINDOWS\Syswow64\CMICNFG3.dll,CMICtrlWnd
O7 - TroubleShooting: (EV) HKU\S-1-5-21-3234073230-3742036366-1949944855-1002\..\Environment: [TEMP] = (not exist)
O7 - TroubleShooting: (EV) HKU\S-1-5-21-3234073230-3742036366-1949944855-1002\..\Environment: [TMP] = (not exist)
O15 - HKU\S-1-5-21-3234073230-3742036366-1949944855-1002\..\ProtocolDefaults: - [@ivt] protocol is in Unknown Zone, should be Intranet Zone (User: 'amo')
O15 - HKU\S-1-5-21-3234073230-3742036366-1949944855-1002\..\ProtocolDefaults: - [file] protocol is in Unknown Zone, should be Internet Zone (User: 'amo')
O15 - HKU\S-1-5-21-3234073230-3742036366-1949944855-1002\..\ProtocolDefaults: - [ftp] protocol is in Unknown Zone, should be Internet Zone (User: 'amo')
O15 - HKU\S-1-5-21-3234073230-3742036366-1949944855-1002\..\ProtocolDefaults: - [http] protocol is in Unknown Zone, should be Internet Zone (User: 'amo')
O15 - HKU\S-1-5-21-3234073230-3742036366-1949944855-1002\..\ProtocolDefaults: - [https] protocol is in Unknown Zone, should be Internet Zone (User: 'amo')
O15 - HKU\S-1-5-21-3234073230-3742036366-1949944855-1002\..\ProtocolDefaults: - [knownfolder] protocol is in Unknown Zone, should be My Computer Zone (User: 'amo')
O15 - HKU\S-1-5-21-3234073230-3742036366-1949944855-1002\..\ProtocolDefaults: - [shell] protocol is in Unknown Zone, should be My Computer Zone (User: 'amo')
O17 - DHCP DNS 1: 192.168.1.10
O18 - HKLM\Software\Classes\Protocols\Filter\text/xml: [CLSID] = {807553E5-5146-11D5-A672-00B0D022E945} - (no file)
O18 - HKLM\Software\Classes\Protocols\Handler\msdaipp\0x00000001: [CLSID] = {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - (no file)
O18 - HKLM\Software\Classes\Protocols\Handler\msdaipp\oledb: [CLSID] = {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - (no file)
O18 - HKLM\Software\Classes\Protocols\Handler\mso-offdap11: [CLSID] = {32505114-5902-49B2-880A-1F7738E5A384} - (no file)
O18 - HKLM\Software\Classes\Protocols\Handler\mso-offdap: [CLSID] = {3D9F03FA-7A94-11D3-BE81-0050048385D1} - (no file)
O18 - HKLM\Software\Classes\Protocols\Handler\wlpg: [CLSID] = {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - (no file)
O22 - Task (.job): (disabled) CreateExplorerShellUnelevatedTask.job - (no file)
O22 - Task (.job): (disabled) EPSON WF-2860 Series Update {40DA0318-3943-4B75-9DD5-651500F1FBEC}.job - (no file)
O22 - Task (.job): (disabled) EPSON WF-2860 Series Update {89C8C398-7451-4980-B57B-ED730EE3A4B2}.job - (no file)
O23 - Service R2: Malwarebytes Service - (MBAMService) - C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
O23 - Service R2: NVIDIA Display Container LS - (NVDisplay.ContainerLocalSystem) - C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_19c79fb6254e3b11\Display.NvContainer\NVDisplay.Container.exe -s NVDisplay.ContainerLocalSystem -f C:\ProgramData\NVIDIA\NVDisplay.ContainerLocalSystem.log -l 3 -d C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_19c79fb6254e3b11\Display.NvContainer\plugins\LocalSystem -r -p 30000 -cfg NVDisplay.ContainerLocalSystem\LocalSystem
O23 - Service S2: AOMEI Backupper Scheduler Service - (Backupper Service) - C:\Program Files (x86)\AOMEI\AOMEI Backupper\6.9.1\ABService.exe
O23 - Service S2: Epson Scanner Service - (EpsonScanSvc) - C:\WINDOWS\system32\EscSvc64.exe
O23 - Service S2: Freemake Improver - C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe



Debug information:

- 30.05.2022 12:38:25 - LoadFileToStream - #0 LastDllError = 5 (Accesso negato.) CreateFile C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
- 30.05.2022 12:38:25 - ParseJob. Unable to open file: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job - #0 LastDllError = 0
- 30.05.2022 12:38:25 - LoadFileToStream - #0 LastDllError = 5 (Accesso negato.) CreateFile C:\WINDOWS\Tasks\EPSON WF-2860 Series Update {40DA0318-3943-4B75-9DD5-651500F1FBEC}.job
- 30.05.2022 12:38:25 - ParseJob. Unable to open file: C:\WINDOWS\Tasks\EPSON WF-2860 Series Update {40DA0318-3943-4B75-9DD5-651500F1FBEC}.job - #0 LastDllError = 0
- 30.05.2022 12:38:25 - LoadFileToStream - #0 LastDllError = 5 (Accesso negato.) CreateFile C:\WINDOWS\Tasks\EPSON WF-2860 Series Update {89C8C398-7451-4980-B57B-ED730EE3A4B2}.job
- 30.05.2022 12:38:25 - ParseJob. Unable to open file: C:\WINDOWS\Tasks\EPSON WF-2860 Series Update {89C8C398-7451-4980-B57B-ED730EE3A4B2}.job - #0 LastDllError = 0

--
End of file - Time spent: 28,6 sec. - 14210 bytes, CRC32: FFFFFFFF. Sign: 좷黯]


Il mio S.O. è Win 10 Enterprise LTSC 2019, come navigatore uso Vivaldi.

Grazie.
Torna in alto
 
Sponsor
Inviato: Monday, May 30, 2022 6:28:31 PM

 
Torna in alto
 
wolfestein
Inviato: Monday, May 30, 2022 10:57:09 PM

Rank: AiutAmico

Iscritto dal : 2/15/2009
Posts: 15,954
https://www.bugsfighter.com/it/remove-captcha-smart-top-ads/
Torna in alto
 
cbbusto
Inviato: Tuesday, May 31, 2022 11:27:44 AM

Rank: AiutAmico

Iscritto dal : 11/8/2008
Posts: 13,964
Segui quanto suggerito da wolfe, se
Spy Hunter ti fa fare la rimozione gratuita di quello che trova, Provalo.
Riattiva Defender e fai una scansione completa, vedi ciò che trova.
Fai questa pulizia del Registro:
Per una pulizia profonda del registro, usa Eusing Free Registry Cleaner sw da usare saltuariamente, lo scarichi da qui: http://www.eusing.com/free_registry_cleaner/registry_cleaner.htm
clic su Download Site1, una volta lanciato appare una finestra che chiede il codice, clic su ignora e procedi, poi in alto a sinistra clic su Analizza Registro, lascia fare fino alla fine non ti preoccupare se trova molte voci, poi clicca su Ripara Registro, il sw è sicuro comunque crea un punto di ripristino e fa anche il backup dei file eliminati infatti in alto sotto ripara registro si trova la voce Ripristina Registro.
Per fare questa pulizia meglio chiudere tutti i programmi e disconnesso.
Il programma è compatibile con tutti i S.O. windows compreso win 10.

Dal log non si vedono grosse anomalie, ci sarebbero dei file da eliminare, ma prima fai quanto sopra poi dopo fai una scansione di HJT e posta il nuovo log.
Torna in alto
 
giza
Inviato: Tuesday, May 31, 2022 5:51:47 PM

Rank: AiutAmico

Iscritto dal : 10/27/2006
Posts: 9,617
bbrun per favore elimina l'altro post. grazie
(edit, seleziona tutto e cancella)
Torna in alto
 
bbrun
Inviato: Tuesday, May 31, 2022 6:44:58 PM
Rank: AiutAmico

Iscritto dal : 3/14/2005
Posts: 978
Eseguito Spy Hunter per 3 volte.

Non lo ho usato per cancellare i file incriminati perché non voglio iscrivermi e perché, a mio modestissimo parere, elenca parecchi falsi positivi.
Come ho detto precedentemente con il primo passaggio l'intruso è sparito all'80%, passo a quanto richiesto da Cbbusto, in questo breve tempo di uso non ci sono stati disturbi.

Cancellato i primo messaggio come chiesto da Giza.
Torna in alto
 
bbrun
Inviato: Tuesday, May 31, 2022 7:26:55 PM
Rank: AiutAmico

Iscritto dal : 3/14/2005
Posts: 978
Eseguito Eusing e poi ripassata con Hijackthis, inserisco il Log, fino ad ora l'intruso non si vede.

Commenta:

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 19:11:20, on 31/05/2022
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Unable to get Internet Explorer version!


Boot mode: Normal

Running processes:
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe
D:\Users\Tutti\Scaricamenti\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = %11%\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
O4 - HKLM\..\Run: [RUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe"
O4 - HKCU\..\Run: [EssentialPIM Portable] "F:\USB\EssentialPIM_AUP\EssentialPIM.exe" /autorun
O4 - Global Startup: Memorandum - coll..lnk = E:\VARIE\Documenti vari\Come fare a\Memorandum.txt
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O18 - Protocol: tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
O18 - Protocol: windows.tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AOMEI Backupper Scheduler Service (Backupper Service) - AOMEI International Network Limited - C:\Program Files (x86)\AOMEI\AOMEI Backupper\6.9.1\ABService.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Epson Scanner Service (EpsonScanSvc) - Unknown owner - C:\WINDOWS\system32\EscSvc64.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\WINDOWS\system32\fxssvc.exe (file missing)
O23 - Service: Freemake Improver - Freemake - C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Container LS (NVDisplay.ContainerLocalSystem) - NVIDIA Corporation - C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_19c79fb6254e3b11\Display.NvContainer\NVDisplay.Container.exe
O23 - Service: @%systemroot%\system32\PerceptionSimulation\PerceptionSimulationService.exe,-101 (perceptionsimulation) - Unknown owner - C:\WINDOWS\system32\PerceptionSimulation\PerceptionSimulationService.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\SecurityHealthAgent.dll,-1002 (SecurityHealthService) - Unknown owner - C:\WINDOWS\system32\SecurityHealthService.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender Advanced Threat Protection\MsSense.exe,-1001 (Sense) - Unknown owner - C:\Program Files (x86)\Windows Defender Advanced Threat Protection\MsSense.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SensorDataService.exe,-101 (SensorDataService) - Unknown owner - C:\WINDOWS\System32\SensorDataService.exe (file missing)
O23 - Service: @%SystemRoot%\System32\SgrmBroker.exe,-100 (SgrmBroker) - Unknown owner - C:\WINDOWS\system32\SgrmBroker.exe (file missing)
O23 - Service: @firewallapi.dll,-50323 (SNMPTRAP) - Unknown owner - C:\WINDOWS\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spectrum.exe,-101 (spectrum) - Unknown owner - C:\WINDOWS\system32\spectrum.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\WINDOWS\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\WINDOWS\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\TieringEngineService.exe,-702 (TieringEngineService) - Unknown owner - C:\WINDOWS\system32\TieringEngineService.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\WINDOWS\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\WINDOWS\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 6421 bytes
Torna in alto
 
cbbusto
Inviato: Wednesday, June 01, 2022 5:46:32 PM

Rank: AiutAmico

Iscritto dal : 11/8/2008
Posts: 13,964
Così va già meglio. Ora fixa ed elimina le seguenti righe:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = %11%\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone.
Alla fine pulizia con ccleaner e sei a posto.
Ciao
Torna in alto
 
bbrun
Inviato: Wednesday, June 01, 2022 6:35:45 PM
Rank: AiutAmico

Iscritto dal : 3/14/2005
Posts: 978
Commenta:
Ora fixa ed elimina le seguenti righe:


Non mi è chiaro, devo "riparare" (fix) o eliminare quelle righe?
Come si fa a ripararle?
E se sono da eliminare che le riparo a fare?

Tutti segnalano il proprio percorso, tranne O15, come lo trovo?


Spiegami meglio per piacere.
P.S. fino ad ora l'intruso non si è più visto.

Grazie.
Torna in alto
 
bbrun
Inviato: Thursday, June 02, 2022 9:32:19 AM
Rank: AiutAmico

Iscritto dal : 3/14/2005
Posts: 978
Nel giro precedente mi ero limitato a esaminare il pc e a comunicare il resoconto del Log.
Ho rilanciato HijackThis, di cui nemmeno ricordo quando e nemmeno se lo ho usato, cercando le opzioni che offre.
Ho visto che c’era il tasto Fix e lo ho lanciato.
Delle righe segnalate da Cbbusto sono rimaste solo le seguenti:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone

È rimasto O15, per cui richiedo di nuovo dove si trova.
Torna in alto
 
wolfestein
Inviato: Thursday, June 02, 2022 3:39:18 PM

Rank: AiutAmico

Iscritto dal : 2/15/2009
Posts: 15,954
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
In Hijack dopo la riga 011.
Torna in alto
 
bbrun
Inviato: Thursday, June 02, 2022 4:36:15 PM
Rank: AiutAmico

Iscritto dal : 3/14/2005
Posts: 978
Ho cercato i due R0 nel percorso: HKLM\Software\Microsoft\Internet Explorer\ e non le ho trovate, HJT avrà eliminato anche loro.

In O15 non è indicato il percorso, allora ho lanciato una ricerca nel registro di sistema, e ho trovato questo:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults

Computer\HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults

Computer\HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults

Li devo eliminare tutti?

Per completezza incollo il secondo Log di HJT.

Commenta:
Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 19:57:59, on 01/06/2022
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Unable to get Internet Explorer version!


Boot mode: Normal

Running processes:
C:\Windows\SysWOW64\rundll32.exe
D:\Users\Tutti\Scaricamenti\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
O4 - HKLM\..\Run: [RUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe"
O4 - Global Startup: Memorandum - coll..lnk = E:\VARIE\Documenti vari\Come fare a\Memorandum.txt
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O18 - Protocol: tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
O18 - Protocol: windows.tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AOMEI Backupper Scheduler Service (Backupper Service) - AOMEI International Network Limited - C:\Program Files (x86)\AOMEI\AOMEI Backupper\6.9.1\ABService.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Epson Scanner Service (EpsonScanSvc) - Unknown owner - C:\WINDOWS\system32\EscSvc64.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\WINDOWS\system32\fxssvc.exe (file missing)
O23 - Service: Freemake Improver - Freemake - C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Container LS (NVDisplay.ContainerLocalSystem) - NVIDIA Corporation - C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_19c79fb6254e3b11\Display.NvContainer\NVDisplay.Container.exe
O23 - Service: @%systemroot%\system32\PerceptionSimulation\PerceptionSimulationService.exe,-101 (perceptionsimulation) - Unknown owner - C:\WINDOWS\system32\PerceptionSimulation\PerceptionSimulationService.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\SecurityHealthAgent.dll,-1002 (SecurityHealthService) - Unknown owner - C:\WINDOWS\system32\SecurityHealthService.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender Advanced Threat Protection\MsSense.exe,-1001 (Sense) - Unknown owner - C:\Program Files (x86)\Windows Defender Advanced Threat Protection\MsSense.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SensorDataService.exe,-101 (SensorDataService) - Unknown owner - C:\WINDOWS\System32\SensorDataService.exe (file missing)
O23 - Service: @%SystemRoot%\System32\SgrmBroker.exe,-100 (SgrmBroker) - Unknown owner - C:\WINDOWS\system32\SgrmBroker.exe (file missing)
O23 - Service: @firewallapi.dll,-50323 (SNMPTRAP) - Unknown owner - C:\WINDOWS\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spectrum.exe,-101 (spectrum) - Unknown owner - C:\WINDOWS\system32\spectrum.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\WINDOWS\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\WINDOWS\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\TieringEngineService.exe,-702 (TieringEngineService) - Unknown owner - C:\WINDOWS\system32\TieringEngineService.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\WINDOWS\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\WINDOWS\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 5639 bytes
Torna in alto
 
bbrun
Inviato: Thursday, June 02, 2022 4:49:07 PM
Rank: AiutAmico

Iscritto dal : 3/14/2005
Posts: 978
Cancellato.
Torna in alto
 
cbbusto
Inviato: Friday, June 03, 2022 2:59:00 PM

Rank: AiutAmico

Iscritto dal : 11/8/2008
Posts: 13,964
OK allora sei a posto. Speak to the hand
Torna in alto
 
bbrun
Inviato: Friday, June 03, 2022 5:40:49 PM
Rank: AiutAmico

Iscritto dal : 3/14/2005
Posts: 978
Si, ma i percorsi O15 dove si trovano i quattro "@ivt" che faccio?

Sono pericolosi o no?
Torna in alto
 
Utenti presenti in questo topic
Guest

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » Rompiscatole (adware?) nel pc.


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.