Oltre all'apertura non richiesta delle pagine WEB, dalla scansione con VitIt 5.1 risultano infetti 7 Chiavi Registro infette da Trojan.Win32.Dailer.xx + 14 files infetti. Invio di seguito il LOG HijackThis v1.99.1 con i risultati di scansione.
Ringrazio in anticipo per aiuto.
Logfile of HijackThis v1.99.1
Scan saved at 15.31.43, on 08/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\DOCUME~1\Administrator\Impostazioni locali\Temp\Directory temporanea 2 per hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.philips.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\svchost.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {387FBD8F-7E05-412C-88C9-DC62E21B03DB} - C:\WINDOWS\system32\eoel.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programmi\SpywareGuard\dlprotect.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TGX2_VFD] "C:\WINDOWS\system32\TGVFDMsgservice.exe"
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Programmi\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Programmi\File comuni\TerraTec\Remote\TTTvRc.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ioeua] C:\Documents and Settings\utente.NOME-42BD382957\Dati applicazioni\citofarera\sysstvmr.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: CPRun.lnk = C:\Philips\CPRun.exe
O4 - Startup: Power2Go Express.lnk = C:\Programmi\CyberLink\Power2Go\Power2GoExpress.exe
O4 - Global Startup: ABBYY Lingvo 6.0 Launcher.lnk = C:\Programmi\ABBYY Lingvo\LvAgent.exe
O4 - Global Startup: Avvio veloce di Adobe Acrobat.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130341739546O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) -
http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {B1953AD6-C50E-11D3-B020-00A0C9251384} (O2C-Player (ELECO Software GmbH)) -
http://www.o2c.de/download/o2cplayer.cabO16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} -
http://www.softlab.name/closer/close.exeO17 - HKLM\System\CCS\Services\Tcpip\..\{1B9D8318-5DE9-4B15-9C34-9F99B8137953}: NameServer = 85.255.116.56,85.255.112.146
O17 - HKLM\System\CCS\Services\Tcpip\..\{B37E57B6-F4B4-4D48-BBA9-5D1A979D6776}: NameServer = 85.255.116.56,85.255.112.146
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5EF4597-C042-4AC1-B03A-FF5C8D1A1555}: NameServer = 85.255.116.56,85.255.112.146
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDE83207-50F5-46FD-837D-601842FF2E54}: NameServer = 85.255.116.56,85.255.112.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B9D8318-5DE9-4B15-9C34-9F99B8137953}: NameServer = 85.255.116.56,85.255.112.146
O17 - HKLM\System\CS2\Services\Tcpip\..\{1B9D8318-5DE9-4B15-9C34-9F99B8137953}: NameServer = 85.255.116.56,85.255.112.146
O17 - HKLM\System\CS3\Services\Tcpip\..\{1B9D8318-5DE9-4B15-9C34-9F99B8137953}: NameServer = 85.255.116.56,85.255.112.146
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmi\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas
www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
Scan Results:
scan start: 08/07/2006 16.58.27
scan stop: 08/07/2006 17.11.19
scanned items: 127104
found items: 11
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Browser Defaults, Favorites and ZoneMap Scanner, ActiveX Scanner, Browser Activity Scanner, Disk Scanner
Infection Name Location Risk
Trojan.Qhosts HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins High
Trojan.Qhosts HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins## High
Trojan.Qhosts HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins##repiwoh High
Infotel srl HKCR\CLSID\{FFFF0003-0001-101A-A3C9-08002B2F49FB} Medium
Infotel srl HKCR\CLSID\{FFFF0003-0001-101A-A3C9-08002B2F49FB}\InprocServer32 Medium
Infotel srl HKLM\Software\Classes\CLSID\{FFFF0003-0001-101A-A3C9-08002B2F49FB} Medium
Infotel srl HKLM\Software\Classes\CLSID\{FFFF0003-0001-101A-A3C9-08002B2F49FB}\InprocServer32 Medium
Infotel srl HKLM\Software\Microsoft\Code Store Database\Distribution Units\{FFFF0003-0001-101A-A3C9-08002B2F49FB} Medium
Infotel srl HKLM\Software\Microsoft\Code Store Database\Distribution Units\{FFFF0003-0001-101A-A3C9-08002B2F49FB}\Contains Medium
Infotel srl HKLM\Software\Microsoft\Code Store Database\Distribution Units\{FFFF0003-0001-101A-A3C9-08002B2F49FB}\DownloadInformation Medium
Infotel srl HKLM\Software\Microsoft\Code Store Database\Distribution Units\{FFFF0003-0001-101A-A3C9-08002B2F49FB}\InstalledVersion Medium