Aiutamici Forum
Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » Mi controllate il LOG di Hijack

3 pages: [1] 2 3
Mi controllate il LOG di Hijack Opzioni
Topic Precedente · Topic Sucessivo
dabor86
Inviato: Sunday, June 21, 2009 3:32:01 PM
Rank: Member

Iscritto dal : 6/21/2009
Posts: 25
Praticamente immetto una parola sul motore di ricerca(google) e mi appare la pagina dei risultati(come browser uso firefox)clicco su un titolo e sulla banda azzurra di firefox su in alto mi compare la scritta "jumping- firefox" mentre dove dobbiamo scrivere il nome del sito c'è una cosa tipo "signin e il nome del sito",quindi vengo reindirizzato sulla mia pagina iniziale,cioè google.
Come antivirus avevo avg,scaduta la licenza ho provato ad istallare la 8.5 ma mi impalla il pc ed internet,ora ho installato avira,cosa potrei scaricare sennò?C'è anche qualche altro programma che potrebbe aiutarmi??
Cmq vi incollo il log di Hijack:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15.18.33, on 21/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmi\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\windows\pp10.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Dati applicazioni\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\File comuni\LightScribe\LightScribeControlPanel.exe
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmi\Windows Live\Contacts\wlcomm.exe
C:\Programmi\Online Solutions\OSAM\osam.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.live.com/results.aspx?mkt=it-it&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - FBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - F99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - 312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
R3 - URLSearchHook: (no name) - E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
R3 - URLSearchHook: (no name) - EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programmi\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre6\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programmi\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programmi\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Programmi\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld10.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp10.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Documents and Settings\All Users\Dati applicazioni\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\WINDOWS\TEMP\E_S8E.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Programmi\File comuni\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LiveSearchNotification] "C:\Programmi\Techno Design IP\LiveSearch Notification.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228908700313
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D98D1F2-CBA4-4653-80C5-7FC3A13D1664}: NameServer = 85.37.17.5 85.38.28.77
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D98D1F2-CBA4-4653-80C5-7FC3A13D1664}: NameServer = 85.37.17.5 85.38.28.77
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe

--
End of file - 9184 bytes
Torna in alto
 
Sponsor
Inviato: Sunday, June 21, 2009 3:32:01 PM

 
Torna in alto
 
r16
Inviato: Sunday, June 21, 2009 3:44:15 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Ciao.
Fai queste 2 scansioni;
Scarica ed installa MalwareBytes:
clicca qui per il download : http://www.aiutamici.com/software?id=80346
Prima di fare la scansione AGGIORNALO. (è molto importante)
Esegui una scansione completa del sistema.
Posta il log.

---------------------------------------------------------------------------------------------------------
COMBOFIX
Importante: Disabilita il tuo antivirus e chiudi TUTTI i programmi aperti,(Firewall compreso) e dopo aver scaricato COMBOFIX, chiudi la connessione.

Scarica Combofix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Salvalo sul desktop.
Doppio click su combofix.exe (comparirà una videata.)
Se ti verrà chiesto se vuoi Installare LA CONSOLE DI RIPRISTINO DI EMERGENZA, clicca NO.
E' probabile che ti siano inviati messaggi dall'antivirus, tu ignorali.
Durante l'operazione di scansione è importante non usare il PC (neanche il mouse) e attendere pazientemente la fine delle operazioni.
Al termine, verrà creato un file log sul Desktop, chiamato C:\ComboFix.txt. Postalo qui.

Disinstalla combofix in questo modo: (dopo che avrò visto il log)
Start
Esegui
nella finestra di dialogo, copia ed incolla questo comando: Combofix /u e premi Invio poi cancella le cartelle in "C" di combofix (qoobox)

Poi posta un log aggiornato di HJT.
Torna in alto
 
dabor86
Inviato: Sunday, June 21, 2009 4:15:59 PM
Rank: Member

Iscritto dal : 6/21/2009
Posts: 25
Ora sto facendo la scansione,però c'è Avira che mi manda continui messaggi,dice di aver trovato un trojan...Cmq appena finita la scansione cosa faccio,devo installare conbofix?
Torna in alto
 
dabor86
Inviato: Sunday, June 21, 2009 4:18:49 PM
Rank: Member

Iscritto dal : 6/21/2009
Posts: 25
Ah,scusami,ora ho capito...Attendo e ti posto il LOG nuovo...
Torna in alto
 
r16
Inviato: Sunday, June 21, 2009 4:19:24 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
No, devo vedere il log prima.
Te lo dico io quando disistallarlo.
Se hai disabilitato Avira, è normale che ti esce qualche avviso allarmante, ignoralo e continua la scansione.
Torna in alto
 
dabor86
Inviato: Sunday, June 21, 2009 4:20:56 PM
Rank: Member

Iscritto dal : 6/21/2009
Posts: 25
OK
Torna in alto
 
r16
Inviato: Sunday, June 21, 2009 4:27:14 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Devo uscire.
Elimina quello che trova Malwarebytes.(però posta sempre il log.
Stasera controllo il log di Combofix.
Se dopo la scansione vedi qualche anomalia sul desktop, riavvia il pc, e tutto dovrebbe tornare normale.
Torna in alto
 
dabor86
Inviato: Sunday, June 21, 2009 4:28:08 PM
Rank: Member

Iscritto dal : 6/21/2009
Posts: 25
Va bene,allora a stasera,grazie ciao!
Torna in alto
 
dabor86
Inviato: Sunday, June 21, 2009 5:15:59 PM
Rank: Member

Iscritto dal : 6/21/2009
Posts: 25
File di LOG di Malwarebytes:


Malwarebytes' Anti-Malware 1.38
Versione del database: 2318
Windows 5.1.2600 Service Pack 2

21/06/2009 17.06.01
mbam-log-2009-06-21 (17-06-01).txt

Tipo di scansione: Scansione completa (A:\|C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Elementi scansionati: 158356
Tempo trascorso: 33 minute(s), 49 second(s)

Processi delle memoria infetti: 1
Moduli della memoria infetti: 1
Chiavi di registro infette: 34
Valori di registro infetti: 6
Elementi dato del registro infetti: 0
Cartelle infette: 1
File infetti: 11

Processi delle memoria infetti:
C:\WINDOWS\pp10.exe (Worm.Koobface) -> Unloaded process successfully.

Moduli della memoria infetti:
c:\programmi\driver\driver.dll (Trojan.Agent) -> Delete on reboot.

Chiavi di registro infette:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\driver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\driver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\driver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.lfgax (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.lfgax.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{eddbb5ee-bb64-4bfc-9dbe-e7c85941335b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\driverdrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\driverdrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\driverdrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\wallpaper.wallpapermanager (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\wallpaper.wallpapermanager.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolbarctl (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolbarctl.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.htmlmenuui (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.htmlmenuui.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\srv.coreservices (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\srv.coreservices.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.webmailsend (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.webmailsend.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.mailanim (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.mailanim.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostie.bho (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostie.bho.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.hbmain (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.hbmain.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbmain.commband (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbmain.commband.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.coreservices (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.coreservices.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Live-Player (Malware.Trace) -> Quarantined and deleted successfully.
Torna in alto
 
dabor86
Inviato: Sunday, June 21, 2009 5:17:00 PM
Rank: Member

Iscritto dal : 6/21/2009
Posts: 25
File di log di Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17.16.14, on 21/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmi\Multimedia Card Reader\shwicon2k.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\ClamWin\bin\ClamTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Dati applicazioni\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
C:\Programmi\File comuni\LightScribe\LightScribeControlPanel.exe
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.live.com/results.aspx?mkt=it-it&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - FBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - F99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - 312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
R3 - URLSearchHook: (no name) - E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
R3 - URLSearchHook: (no name) - EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programmi\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre6\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programmi\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programmi\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Programmi\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [ClamWin] "C:\Programmi\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Documents and Settings\All Users\Dati applicazioni\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\WINDOWS\TEMP\E_S8E.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Programmi\File comuni\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LiveSearchNotification] "C:\Programmi\Techno Design IP\LiveSearch Notification.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228908700313
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D98D1F2-CBA4-4653-80C5-7FC3A13D1664}: NameServer = 85.37.17.5 85.38.28.77
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D98D1F2-CBA4-4653-80C5-7FC3A13D1664}: NameServer = 85.37.17.5 85.38.28.77
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe

--
End of file - 9172 bytes
Torna in alto
 
dabor86
Inviato: Sunday, June 21, 2009 5:17:32 PM
Rank: Member

Iscritto dal : 6/21/2009
Posts: 25
Ora faccio con COMBOFIX e poi posto!
Torna in alto
 
dabor86
Inviato: Sunday, June 21, 2009 5:41:05 PM
Rank: Member

Iscritto dal : 6/21/2009
Posts: 25
Ecco il LOG di conbofix:

ComboFix 09-06-20.04 - Davide 21/06/2009 17.26.14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.1527.1136 [GMT 2:00]
Eseguito da: c:\documents and settings\Davide\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {00000002-0002-0000-3C24-9E7C08000A00}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programmi\driver
c:\documents and settings\Davide\Dati applicazioni\inst.exe
c:\documents and settings\Davide\Impostazioni locali\Temporary Internet Files\lsn_6FBA808F-2580-48c3-8C6B-C08BBB800B8E.xml
c:\programmi\Mozilla Firefox\plugins\npclntax_ZangoSA.dll

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRIVER
-------\Legacy_DRIVERDRV


((((((((((((((((((((((((( Files Creati Da 2009-05-21 al 2009-06-21 )))))))))))))))))))))))))))))))))))
.

2009-06-21 14:12 . 2009-06-21 14:12 -------- d-----w- c:\documents and settings\Davide\Dati applicazioni\Malwarebytes
2009-06-21 14:12 . 2009-06-17 09:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-21 14:12 . 2009-06-21 14:12 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2009-06-21 14:12 . 2009-06-21 14:12 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-06-21 14:12 . 2009-06-17 09:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-21 14:10 . 2009-06-21 14:11 -------- d-----w- c:\documents and settings\Davide\Dati applicazioni\.clamwin
2009-06-21 14:10 . 2009-06-21 14:10 -------- d-----w- c:\programmi\ClamWin
2009-06-21 14:10 . 2009-06-21 14:10 -------- d-----w- c:\documents and settings\All Users\.clamwin
2009-06-21 13:16 . 2009-06-21 13:16 -------- d-----w- c:\programmi\Trend Micro
2009-06-21 12:58 . 2009-06-21 12:58 -------- d-----w- c:\programmi\Online Solutions
2009-06-21 12:58 . 2009-06-21 12:58 -------- d-----w- c:\programmi\File comuni\Online Solutions Shared
2009-06-21 12:49 . 2009-03-30 08:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-21 12:49 . 2009-03-24 14:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-21 12:49 . 2009-02-13 10:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-21 12:49 . 2009-02-13 10:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-21 12:49 . 2009-06-21 12:49 -------- d-----w- c:\programmi\Avira
2009-06-21 12:49 . 2009-06-21 12:49 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Avira
2009-06-20 12:02 . 2003-03-18 19:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-06-20 12:02 . 2009-06-20 12:02 -------- d-----w- c:\programmi\Alwil Software
2009-06-19 07:21 . 2009-06-19 07:21 -------- d-----w- c:\programmi\iPod
2009-06-19 07:21 . 2009-06-19 07:22 -------- d-----w- c:\programmi\iTunes
2009-06-19 07:21 . 2009-06-19 07:22 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-19 07:19 . 2009-06-19 07:19 -------- d-----w- c:\programmi\QuickTime
2009-06-19 07:13 . 2009-06-19 07:13 75048 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-09 17:01 . 2009-06-09 17:01 -------- d-----w- c:\windows\system32\NtmsData
2009-06-02 13:46 . 2001-10-28 15:42 116224 ----a-w- c:\windows\system32\pdfcmnnt.dll
2009-06-02 13:46 . 1998-08-05 06:45 122128 ----a-w- c:\windows\system32\VB6IT.DLL
2009-06-02 13:46 . 1998-08-05 06:45 150528 ----a-w- c:\windows\system32\MSCMCIT.DLL
2009-06-02 13:46 . 1998-08-05 06:45 63488 ----a-w- c:\windows\system32\MSCC2IT.DLL
2009-06-02 13:46 . 2009-06-02 13:47 -------- d-----w- c:\programmi\PDFCreator
2009-06-02 13:46 . 1998-07-05 23:00 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2009-05-31 18:50 . 2009-05-31 19:06 -------- d-----w- c:\programmi\PhotoFiltre

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-21 12:47 . 2008-12-11 15:49 -------- d-----w- c:\programmi\Yahoo!
2009-06-21 12:33 . 2009-04-03 12:23 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\avg8
2009-06-21 11:27 . 2008-12-21 16:59 -------- d-----w- c:\documents and settings\Davide\Dati applicazioni\uTorrent
2009-06-21 10:48 . 2009-04-06 18:52 -------- d-----w- c:\programmi\Lavasoft
2009-06-21 10:48 . 2009-04-06 18:52 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Lavasoft
2009-06-19 10:36 . 2009-01-22 20:39 -------- d-----w- c:\documents and settings\Davide\Dati applicazioni\Apple Computer
2009-06-19 07:21 . 2009-01-22 20:36 -------- d-----w- c:\programmi\File comuni\Apple
2009-06-09 16:57 . 2008-12-18 11:13 -------- d-----w- c:\programmi\File comuni\Adobe
2009-05-26 12:34 . 2009-05-08 21:36 -------- d-----w- c:\programmi\Metin2_Italiano
2009-05-24 13:40 . 2008-12-10 13:54 -------- d-----w- c:\documents and settings\Davide\Dati applicazioni\U3
2009-05-16 12:54 . 2009-05-16 12:54 463360 ----a-w- c:\documents and settings\Davide\Dati applicazioni\Techno Design IP\LiveSearch Notification.exe
2009-05-16 12:54 . 2009-05-16 12:54 -------- d-----w- c:\documents and settings\Davide\Dati applicazioni\Techno Design IP
2009-05-07 15:41 . 2003-04-08 12:00 346112 ----a-w- c:\windows\system32\localspl.dll
2009-04-30 18:08 . 2009-04-30 18:08 360320 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-04-30 18:08 . 2003-04-08 12:00 360320 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
2009-04-29 04:51 . 2003-04-08 12:00 662016 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:51 . 2008-12-10 14:00 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-26 18:23 . 2008-12-22 17:24 -------- d-----w- c:\documents and settings\Davide\Dati applicazioni\Ahead
2009-04-26 11:47 . 2009-04-26 11:43 -------- d-----w- c:\documents and settings\Davide\Dati applicazioni\gtk-2.0
2009-04-26 09:46 . 2009-04-26 09:39 -------- d-----w- c:\programmi\Eicos Deluxe Edition
2009-04-26 09:39 . 2009-04-26 09:41 737280 ----a-w- c:\windows\iun6002.exe
2009-04-25 18:15 . 2008-12-14 15:15 -------- d-----w- c:\programmi\eMule
2009-04-22 18:50 . 2008-12-10 14:06 72480 ----a-w- c:\documents and settings\Davide\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-04-22 15:49 . 2009-04-22 15:49 -------- d-----w- c:\programmi\temp
2009-04-19 20:08 . 2003-04-08 12:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-17 11:55 . 2003-04-08 12:00 70892 ----a-w- c:\windows\system32\perfc010.dat
2009-04-17 11:55 . 2003-04-08 12:00 440460 ----a-w- c:\windows\system32\perfh010.dat
2009-04-15 15:16 . 2003-04-08 12:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2009-01-20 14:36 . 2009-01-20 14:36 0 ----a-w- c:\programmi\File comuni\dht342126
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"ISUSPM"="c:\documents and settings\All Users\Dati applicazioni\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"MsnMsgr"="c:\programmi\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"LightScribe Control Panel"="c:\programmi\File comuni\LightScribe\LightScribeControlPanel.exe" [2007-07-18 451872]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-07-09 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-07-09 114688]
"Sunkist2k"="c:\programmi\Multimedia Card Reader\shwicon2k.exe" [2003-11-26 135168]
"NeroFilterCheck"="c:\programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-01-16 136600]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\programmi\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ClamWin"="c:\programmi\ClamWin\bin\ClamTray.exe" [2009-06-11 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-19 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
WinZip Quick Pick.lnk - c:\programmi\WinZip\WZQKPICK.EXE [2008-12-10 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Programmi\\NetMeeting\\conf.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [27/03/2009 22.53.20 55152]
R3 Stmatm;ATM/ADSL miniport;c:\windows\system32\drivers\stmatm.sys [10/12/2008 21.18.45 59466]
R3 TaurusUsb;ADSL Modem USB Service;c:\windows\system32\drivers\torususb.sys [10/12/2008 21.18.45 538925]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 fsssvc;Windows Live Family Safety;c:\programmi\Windows Live\Family Safety\fsssvc.exe [06/02/2009 19.08.58 533360]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\programmi\File comuni\LightScribe\LSRunOnce.exe"
.
Contenuto della cartella 'Scheduled Tasks'

2009-06-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-06-21 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 16:04]

2009-06-21 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 16:04]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKCU-Run-LiveSearchNotification - c:\programmi\Techno Design IP\LiveSearch Notification.exe


.
------- Scansione supplementare -------
.
uStart Page = hxxp://it.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-21 17:32
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1993962763-1123561945-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|ÿÿÿÿ"•€|þ»Ñw*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(616)
c:\programmi\File comuni\Ahead\Lib\NeroSearchBar.dll
c:\programmi\File comuni\Ahead\Lib\MFC71U.DLL
c:\programmi\File comuni\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\msi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Avira\AntiVir Desktop\sched.exe
c:\programmi\Avira\AntiVir Desktop\avguard.exe
c:\programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\programmi\File comuni\LightScribe\LSSrvc.exe
c:\programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\WgaTray.exe
c:\programmi\iPod\bin\iPodService.exe
c:\programmi\File comuni\Ahead\Lib\NMIndexingService.exe
c:\programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Ora fine scansione: 2009-06-21 17.36.57 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-06-21 15:36

Pre-Run: 8.289.017.856 byte disponibili
Post-Run: 16.325.746.688 byte disponibili

197 --- E O F --- 2009-06-10 16:55
Torna in alto
 
simo95
Inviato: Sunday, June 21, 2009 5:51:53 PM

Rank: AiutAmico

Iscritto dal : 12/4/2008
Posts: 2,008
Il worm koobface si prende cliccando sui link che gli amici (che in verità è l'hacker) ti inviano via netlog o facebook. Portano ad un sito molto simile a youtube dove ti dicono di installare adobe flash player (ma è un fake, cioè il worm). Quando accetti il controllo activeX sei ormai infetto. Quindi prestate attenzione!!!
Torna in alto
 
r16
Inviato: Sunday, June 21, 2009 6:40:30 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Ottimo.
Disattiva il ripristino configurazione di sistema, e tienilo disattivato, fino alla soluzione del problema http://guide.aiutamici.com/guide?C1=7&C2=68&ID=80121

Dai una pulita (registro compreso)con CCleaner http://www.aiutaamici.com/software?ID=11223
Poi:
Se non sai "fixare"le voci,segui questa guida dettagliata: http://www.aiutaamici.com/software?ID=11175

Avvia hijackthis, metti la spunta alle voci che andrò ad elencarti e con tutte le applicazioni chiuse e disconnesso da Internet,premi su fix checked

R3 - URLSearchHook: (no name) - FBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - F99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - 312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
R3 - URLSearchHook: (no name) - E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
R3 - URLSearchHook: (no name) - EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Documents and Settings\All Users\Dati applicazioni\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LiveSearchNotification] "C:\Programmi\Techno Design IP\LiveSearch Notification.exe"
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Dai una pulita (registro compreso)con CCleaner.
********************************************************************************************************************************
Fai una scansione in Modalità Provvisoria con il tuo Antivirus.
Per il momento esegui queste indicazioni.
Seguiranno indicazioni per le pulizie, e aggiornamento Sistema Operativo
Riscontri problemi?
Torna in alto
 
dabor86
Inviato: Sunday, June 21, 2009 8:05:40 PM
Rank: Member

Iscritto dal : 6/21/2009
Posts: 25
Ho eseguito le operazioni,ora sto controllando con avira,però mi dice che ho bisogno di un programma per riparare un qualcosa in C:\ e in D:\
Ora sta analizzando...Cosa devo fare?
Il ripristino configurazione di sistema è sempre disattivato...
Torna in alto
 
r16
Inviato: Sunday, June 21, 2009 8:27:07 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Dovrei sapere cos'è "quel qualcosa" che si deve riparare.
Torna in alto
 
dabor86
Inviato: Sunday, June 21, 2009 8:30:00 PM
Rank: Member

Iscritto dal : 6/21/2009
Posts: 25
Una cosa tipo "file di riavvio",poi cmq è partito avira ed ora sta facendo la scansione tranquillamente...L'unica cosa è che a volte mi suona il PC,non l'aveva mai fatto...
Torna in alto
 
r16
Inviato: Sunday, June 21, 2009 8:31:33 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Lasciamo finire la scansione di Avira.
E' possibile che per eliminare un file infetto richieda un "Riavvio".
Postami il log quando finisce.
Torna in alto
 
dabor86
Inviato: Sunday, June 21, 2009 8:32:13 PM
Rank: Member

Iscritto dal : 6/21/2009
Posts: 25
Ok,a fra poco!
Torna in alto
 
Utenti presenti in questo topic
Guest

3 pages: [1] 2 3

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » Mi controllate il LOG di Hijack


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.