Ciao,
innnanzitutto vi ringrazio per il servizio: siete davvero gentili.
Il problema riscontrato è dovuto ad uno spyware. Ho installato WebMediaPlayer pensando fosse semplicemente una radio per internet e lo è, ma racchiude anche una piccola e poco carina sorpresina
. Clamwin e Spyboot non lo rilevano.
Il sistema operativo è Windows XP e sono installati ZoneAlarm e Avast. Da un giorno il Centro di Sicurezza PC di Windows avverte che non è attivo nessun firewall anche se ZoneAlarm è funzionante e continua a lanciare i suoi messaggi di alert.
Lo spyware rileva il tipo di pagine che visito, quindi apre delle nuove finestre del browser in cui mi fa vedere delle pubblicità correlate al contenuto di ciò che sto visitando al momento. Alle volte compaiono delle pagine in cui mi si dice che il mio pc è infettato e quindi mi propone di fare delle scansioni on-line.
Come browser uso Firefox 2.0.0.14. Internet Explorer è installato ma lo utilizzo solo quando è strettamente necessario.
Ho notato (empiricamente) che se in Firefox disattivo JavaScript lo spyware non è più in grado di aprire le sue finestre.
Il log è il seguente:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8.46.02, on 27/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
D:\Programmi\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\acs.exe
D:\Programmi\Atheros\ACU.exe
D:\WINDOWS\system32\TCtrlIOHook.exe
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Programmi\TOSHIBA\E-KEY\CeEKey.exe
D:\WINDOWS\system32\igfxsrvc.exe
D:\Programmi\Synaptics\SynTP\SynTPEnh.exe
D:\Programmi\Google\Google Talk\googletalk.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
D:\Programmi\Java\jre1.6.0_04\bin\jusched.exe
D:\Programmi\iTunes\iTunesHelper.exe
D:\Programmi\VMware\VMware Player\hqtray.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
D:\Programmi\Unlocker\UnlockerAssistant.exe
D:\Programmi\Synaptics\SynTP\SynToshiba.exe
D:\Programmi\File comuni\Real\Update_OB\realsched.exe
D:\Programmi\ClamWin\bin\ClamTray.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Programmi\AllChars\AllChars.exe
D:\Programmi\OpenOffice.org 2.4\program\soffice.exe
D:\WINDOWS\system32\agrsmsvc.exe
D:\Programmi\OpenOffice.org 2.4\program\soffice.BIN
D:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Programmi\Bonjour\mDNSResponder.exe
D:\Programmi\IBM\SQLLIB\BIN\db2jds.exe
D:\Programmi\IBM\SQLLIB\BIN\db2sec.exe
D:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\Programmi\MPICH\mpd\bin\mpd.exe
D:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
D:\Programmi\File comuni\VMware\VMware Virtual Image Editing\vmount2.exe
D:\WINDOWS\system32\vmnat.exe
D:\WINDOWS\system32\vmnetdhcp.exe
D:\Programmi\VMware\VMware Player\vmware-authd.exe
D:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
D:\Programmi\Alwil Software\Avast4\ashWebSv.exe
D:\Programmi\iPod\bin\iPodService.exe
d:\documents and settings\sacha\impostazioni locali\dati applicazioni\hoaexvhxxc.exe
D:\WINDOWS\System32\svchost.exe
D:\Programmi\Mozilla Firefox\firefox.exe
D:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
D:\Programmi\Spybot - Search & Destroy\SpybotSD.exe
D:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programmi\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Programmi\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [ACU] D:\Programmi\Atheros\ACU.exe -nogui
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CeEKEY] D:\Programmi\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [HWSetup] D:\Programmi\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SynTPEnh] D:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [googletalk] D:\Programmi\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Programmi\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VMware hqtray] "D:\Programmi\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [\\Pcfisso\EPSON Stylus Photo RX420 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P41 "\\Pcfisso\EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [Automatico EPSON Stylus Photo RX420 Series su ACER] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P50 "Automatico EPSON Stylus Photo RX420 Series su ACER" /O17 "\\ACER\Stampante3" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ClamWin] "D:\Programmi\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "D:\Programmi\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Vidalia] "D:\Programmi\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [hoaexvhxxc] d:\documents and settings\sacha\impostazioni locali\dati applicazioni\hoaexvhxxc.exe hoaexvhxxc
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = D:\Programmi\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: AllChars.lnk = D:\Programmi\AllChars\AllChars.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programmi\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programmi\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) -
http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cabO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) -
http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{9D43FA82-3226-4870-8F9B-DAA2D322CDBF}: NameServer = 193.70.152.15,193.70.152.25
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Servizio di configurazione Atheros (ACS) - Atheros - D:\WINDOWS\system32\acs.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - D:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Server applet DB2 JDBC (DB2JDS) - International Business Machines Corporation - D:\Programmi\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - D:\Programmi\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - D:\Programmi\iPod\bin\iPodService.exe
O23 - Service: MPICH Daemon (C) 2001 Argonne National Lab (mpich_mpd) - Unknown owner - D:\Programmi\MPICH\mpd\bin\mpd.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - D:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Programmi\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - D:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - D:\Programmi\File comuni\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - D:\WINDOWS\system32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 11101 bytes
Vi ringrazio davvero molto per l'aiuto.
