Aiutamici Forum
Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

scansione hijack Opzioni
luca76it2002
Inviato: Friday, November 13, 2009 8:19:40 AM
Rank: Member

Iscritto dal : 11/27/2004
Posts: 6
ciao a tutti, potete controllare questo log per cortesia ?

grazie

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:10:21, on 13/11/2009
Platform: Unknown Windows (WinNT 6.01.3004)
MSIE: Internet Explorer v8.00 (8.00.7100.0000)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Users\luca\AppData\Local\Temp\c.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10c.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\Windows\SysWow64\msxml71.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\16.7.2.11\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~2\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ewnfw] "c:\users\luca\appdata\local\ewnfw.exe" ewnfw
O4 - HKCU\..\Run: [PPAP] C:\ProgramData\PPLiveVA\Application\PPAP.exe
O4 - HKCU\..\Run: [FlashGet 3] "C:\Program Files (x86)\FlashGet Network\FlashGet 3\Flashget3.exe" -minimize
O4 - HKCU\..\Run: [FlashGetBHO] "C:\Program Files (x86)\FlashGet Network\FlashGet 3\mxhelper.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [userford] "C:\ProgramData\debugthethe.310ba"
O4 - HKCU\..\Run: [Base road long save] "C:\ProgramData\love amok user.f5qyq"
O4 - HKCU\..\Run: [TurboNet] C:\Users\luca\AppData\Local\Temp\c.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: Aggiungi a PDF esistente - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Aggiungi destinazione link a PDF esistente - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti in Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service 64 - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files (x86)\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 10295 bytes
Sponsor
Inviato: Friday, November 13, 2009 8:19:40 AM

 
antonpaco
Inviato: Friday, November 13, 2009 10:03:53 AM
Rank: AiutAmico

Iscritto dal : 11/7/2006
Posts: 1,180
O4 - HKCU\..\Run: [userford] "C:\ProgramData\debugthethe.310ba"
O4 - HKCU\..\Run: [Base road long save] "C:\ProgramData\love amok user.f5qyq"
Queste due voci sono infette, fai una scansione con malwarebytes scaricabile da aiutamici oppure da www.malwarebytes.org. Pubblica la scansione prima di cancellare.
luca76it2002
Inviato: Friday, November 13, 2009 6:58:34 PM
Rank: Member

Iscritto dal : 11/27/2004
Posts: 6
ecco la scansione che mi hai consigliato


Malwarebytes' Anti-Malware 1.41
Versione del database: 3161
Windows 6.1.7100

13/11/2009 18:58:03
mbam-log-2009-11-13 (18-57-57).txt

Tipo di scansione: Scansione completa (C:\|)
Elementi scansionati: 362582
Tempo trascorso: 48 minute(s), 40 second(s)

Processi delle memoria infetti: 1
Moduli della memoria infetti: 0
Chiavi di registro infette: 13
Valori di registro infetti: 4
Elementi dato del registro infetti: 1
Cartelle infette: 0
File infetti: 12

Processi delle memoria infetti:
C:\Windows\msb.exe (Trojan.Agent) -> No action taken.

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
HKEY_CLASSES_ROOT\netpumper.addurl (Trojan.Swizzor) -> No action taken.
HKEY_CLASSES_ROOT\netpumpernnproxy.netscapeinterface (Trojan.Swizzor) -> No action taken.
HKEY_CLASSES_ROOT\xml.xml (Worm.Allaple) -> No action taken.
HKEY_CLASSES_ROOT\xml.xml.1 (Worm.Allaple) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Worm.Allaple) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{9233c3c0-1472-4091-a505-5580a23bb4ac} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Worm.Allaple) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Worm.Allaple) -> No action taken.
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-netpumper-detector (Adware.NetPumper) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\NetPumper.exe (Adware.NetPumper) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Live-Player (Malware.Trace) -> No action taken.

Valori di registro infetti:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ewnfw (Trojan.Agent.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\turbonet (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Netscape\Netscape Navigator\Automation Protocols\ftp (Adware.NetPumper) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Netscape\Netscape Navigator\Automation Protocols\http (Adware.NetPumper) -> No action taken.

Elementi dato del registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
C:\Users\luca\Local Settings\Application Data\ewnfw_navps.dat (Adware.Navipromo.H) -> No action taken.
C:\Users\luca\Local Settings\Application Data\ewnfw_nav.dat (Adware.Navipromo.H) -> No action taken.
C:\Users\luca\Local Settings\Application Data\ewnfw.dat (Adware.Navipromo.H) -> No action taken.
C:\Users\luca\AppData\Local\Temp\a.exe (Trojan.FraudPack) -> No action taken.
C:\Users\luca\AppData\Local\Temp\b.exe (Trojan.FraudPack) -> No action taken.
C:\Users\luca\AppData\Local\Temp\msxml71.dll (Trojan.FraudPack) -> No action taken.
C:\Users\luca\AppData\Local\Temp\SetCertAcl.exe (Adware.NetPumper) -> No action taken.
C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> No action taken.
C:\Users\luca\AppData\Local\Temp\c.exe (Trojan.FakeAlert) -> No action taken.
C:\Windows\msa.exe (Trojan.Agent) -> No action taken.
C:\Windows\msb.exe (Trojan.Agent) -> No action taken.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> No action taken.


Elimino le voci?
luca76it2002
Inviato: Friday, November 13, 2009 7:12:39 PM
Rank: Member

Iscritto dal : 11/27/2004
Posts: 6
Volevo aggiungere una cosa, non so se sia utile, lo spero.
Ogni tanto mi si aprono delle pagine web per conto loro e in task manager ho notato la presenza di diversi processi di ie che anche se li chiudono ripartono automaticamente.
simo95
Inviato: Friday, November 13, 2009 7:20:52 PM

Rank: AiutAmico

Iscritto dal : 12/4/2008
Posts: 2,008
Ti credo che si aprono finestre in continuazione.
Hai il Navipromo.
Vedrai che gli esperti ti aiuteranno.

P.S.: Disinstalla il live-player (è un covo di virus), riavvia il pc, e pulisci con CCleaner (per ora non il registro, non si deve mai fare quando si ha il pc infetto)
luca76it2002
Inviato: Friday, November 13, 2009 7:41:03 PM
Rank: Member

Iscritto dal : 11/27/2004
Posts: 6
disinstallato e fatto la pulizia con ccleaner, ovviamente il problema dei processi di ie rimane hehehehe
simo95
Inviato: Friday, November 13, 2009 8:07:36 PM

Rank: AiutAmico

Iscritto dal : 12/4/2008
Posts: 2,008
luca76it2002 ha scritto:
disinstallato e fatto la pulizia con ccleaner, ovviamente il problema dei processi di ie rimane hehehehe

Tranquillo, ci vuole un tool specifico.

Ciao

Arriva shap!
Utenti presenti in questo topic
Guest


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.