Aiutamici Forum
Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » controllo log hijackthis

controllo log hijackthis Opzioni
Topic Precedente · Topic Sucessivo
vecchioguzzista
Inviato: Wednesday, September 12, 2012 11:30:55 PM
Rank: Newbie

Iscritto dal : 9/12/2012
Posts: 3
Buona serata.
Credo di avere qualche infezione nel PC.
L'esame automatico del log mi segnala diversi file dubbi ed un probabile virus.
Eseguendo Spybot SD mi vengono segnalate presenti Babilon toolbar ed incredibar, che vengono regolarmente cancellate, ma poi ricompaiono ad una successiva scansione.
Per cortesia mi controllate il log e mi fornite istruzioni per eliminare i problemi?
Grazie!


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23.23.52, on 12/09/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Alwil Software\Avast5\afwServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\twain_32\foto1_00\btnctrl.exe
C:\USBStorage\USBDetector.exe
C:\Programmi\File comuni\Nero\Nero BackItUp 4\NBService.exe
C:\Programmi\File comuni\Java\Java Update\jusched.exe
C:\Programmi\Alwil Software\Avast5\avastUI.exe
C:\Programmi\AmIcoSingLun\AmIcoSinglun.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Giovanni\Dati applicazioni\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\Programmi\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\Programmi\SanDisk\SanDisk Media Manager\SanDiskMediaManager-Launcher.EXE
C:\Programmi\Windows Desktop Search\WindowsSearch.exe
C:\Programmi\TextBridge Pro 8.0\Ereg\REMIND32.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Documenti\AppData\PoApp\PService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\msiexec.exe
C:\Programmi\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzutDtDtBtCzzyDzytBtC0DtC0BtDtCtBzytN0D0Tzu0CtByEyCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=458612221
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: QpBHO Class - {1658D3A1-9E13-4196-A82A-D70D70880F36} - C:\Programmi\Hewlett-Packard\SmartPrint\QuickPrintBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre6\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programmi\Alwil Software\Avast5\aswWebRepIE.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programmi\Alwil Software\Avast5\aswWebRepIE.dll
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [APSDaemon] "C:\Programmi\File comuni\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [PushButton] C:\WINDOWS\twain_32\foto1_00\btnctrl.exe
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\File comuni\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avast] "C:\Programmi\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [PosService] C:\Documents and Settings\All Users\Documenti\AppData\PoApp\PLauncher.exe
O4 - HKLM\..\Run: [AmIcoSinglun] C:\Programmi\AmIcoSingLun\AmIcoSinglun.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Giovanni\Dati applicazioni\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: reminder-Registrazione del prodotto Scansoft.lnk = C:\Programmi\TextBridge Pro 8.0\Ereg\REMIND32.EXE
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Programmi\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Global Startup: SanDisk Media Manager.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Programmi\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Free YouTube Download - C:\Documents and Settings\Giovanni\Dati applicazioni\DVDVideoSoftIEHelpers\freeytvdownloader.htm
O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Documents and Settings\Giovanni\Dati applicazioni\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
O9 - Extra button: HP Smart Print - {22CC3EBD-C286-43aa-B8E6-06B115F74162} - C:\Programmi\Hewlett-Packard\SmartPrint\HPQuickPrintLauncher.exe
O9 - Extra 'Tools' menuitem: HP Smart Print - {22CC3EBD-C286-43aa-B8E6-06B115F74162} - C:\Programmi\Hewlett-Packard\SmartPrint\HPQuickPrintLauncher.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1345664561734
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect119b.cab
O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} - http://www.ma-config.com/plugins/MaConfig_6_0_1_1.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/pro/cabs/as2stubie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EBEFBA3-F85F-424F-8B5E-28A4C212AA2A}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F089579-1403-433A-BE33-7DC2B759E909}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{71934C7E-BC0B-4477-94C0-4EAE2677DA22}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EBEFBA3-F85F-424F-8B5E-28A4C212AA2A}: NameServer = 176.31.229.24,176.31.229.25
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Programmi\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Firewall - AVAST Software - C:\Programmi\Alwil Software\Avast5\afwServ.exe
O23 - Service: FNTDAW - Unknown owner - C:\DOCUME~1\Giovanni\IMPOST~1\Temp\FNTDAW.exe (file missing)
O23 - Service: Servizio di Google Update (gupdate) (gupdate) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Servizio Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Programmi\File comuni\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Serv Updater (ServUpdater) - ServiceUpd - C:\Documents and Settings\Giovanni\Impostazioni locali\Dati applicazioni\ServUpdater\ServiceUpd.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Uniblue Powersuite Service (Uniblue.PowersuiteSvc) - Unknown owner - C:\Programmi\Uniblue\Powersuite\powersuite_service.exe

--
End of file - 11032 bytes
Torna in alto
 
Sponsor
Inviato: Wednesday, September 12, 2012 11:30:55 PM

 
Torna in alto
 
wolfestein
Inviato: Thursday, September 13, 2012 12:48:25 AM

Rank: AiutAmico

Iscritto dal : 2/15/2009
Posts: 15,955
Non sono un grande esperto in fatto di virus ma dal log vedo che hai una moltitudine di programmi che si avviano in automatico che non sono essenziali per il funzionamento del sistema e rallentano l'apertura dello stesso per cui ti consiglio di disattivarli.
Per farlo ti consiglio di farlo Ccleaner con il tool Strumenti/Avvio(il processo è totalmente reversibile).
I programmi da disattivare sono:
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [APSDaemon] "C:\Programmi\File comuni\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [PushButton] C:\WINDOWS\twain_32\foto1_00\btnctrl.exe
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\File comuni\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [PosService] C:\Documents and Settings\All Users\Documenti\AppData\PoApp\PLauncher.exe
O4 - HKLM\..\Run: [AmIcoSinglun] C:\Programmi\AmIcoSingLun\AmIcoSinglun.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Giovanni\Dati applicazioni\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - Startup: reminder-Registrazione del prodotto Scansoft.lnk = C:\Programmi\TextBridge Pro 8.0\Ereg\REMIND32.EXE
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Programmi\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Global Startup: SanDisk Media Manager.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Programmi\Windows Desktop Search\WindowsSearch.exe
Inoltre disattiva il Tea Timer di Spyboot in questo modo:
Apri Spyboot,clicca su Modalità e metti la spunta su Avanzate,clicca su Utilità quindi su Resident,nella schermata a destra togli la spunta a Attiva modulo "Tea Timer"di Resident(Protezione di tutte le impostazioni di sistema).Fatto questo riporta Spyboot nella Modalità normale.
Un consiglio ogni volta che aggiorni Spyboot immunizza il sistema dall'apposito comando di Spyboot.
Per togliere le inutili toolbar puoi usare AdwCleaner(leggi le istruzioni).
http://www.megalab.it/7845/pulizia-approfondita-dei-vostri-browser-con-adwcleaner
Inoltre scarica da Aiutamici Malwarebytes,aggiornalo,fai una scansione completa ed elimina quello che eventualmente trova e posta il log che rilascia.
Torna in alto
 
r16
Inviato: Thursday, September 13, 2012 8:18:32 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Oltre a quelle segnalate da wolfestein, elimina anche queste:

Commenta:
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EBEFBA3-F85F-424F-8B5E-28A4C212AA2A}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F089579-1403-433A-BE33-7DC2B759E909}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{71934C7E-BC0B-4477-94C0-4EAE2677DA22}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EBEFBA3-F85F-424F-8B5E-28A4C212AA2A}: NameServer = 176.31.229.24,176.31.229.25
O23 - Service: Serv Updater (ServUpdater) - ServiceUpd - C:\Documents and Settings\Giovanni\Impostazioni locali\Dati applicazioni\ServUpdater\ServiceUpd.exe

Riavvia il pc.

Rifai la scansione con HijackThis, e controlla se quelle voci ci sono ancora.
Se le trovi le elimini in Modalità provvisoria.

Poi fai questa scansione: (che è quella segnalata da wolfestein)
Scarica Adwcleaner sul desktop:
http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner
Avvialo e clicca sul pulsante "Delete".

Conferma con OK le varie finestre che ti compariranno.
Il pc si riavvierà, e uscirà il log con le eliminazioni.
Postalo qui.
Torna in alto
 
vecchioguzzista
Inviato: Friday, September 14, 2012 6:15:51 PM
Rank: Newbie

Iscritto dal : 9/12/2012
Posts: 3
Grazie per le risposte.
Ho eseguito la pulizia con AdwCleaner e questo è il log:

# AdwCleaner v2.001 - Logfile created 09/14/2012 at 11:04:20
# Updated 09/09/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Giovanni - GOLFEX
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Giovanni\Documenti\Programmi\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\user.js
Folder Deleted : C:\Documents and Settings\All Users\Dati applicazioni\Tarma Installer
Folder Deleted : C:\Documents and Settings\Giovanni\Dati applicazioni\pdfforge
Folder Deleted : C:\Documents and Settings\Giovanni\Dati applicazioni\PriceGong
Folder Deleted : C:\Documents and Settings\Giovanni\Dati applicazioni\Toolbar4
Folder Deleted : C:\Programmi\Conduit
Folder Deleted : C:\Programmi\Yontoo

***** [Registry] *****

Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\IGearSettings
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011441179}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{336D0C35-8A85-403a-B9D2-65C292C39087}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{338B4DFE-2E2C-4338-9E41-E176D497299E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F9639E4A-801B-4843-AEE3-03D9DA199E77}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011441179}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{336D0C35-8A85-403a-B9D2-65C292C39087}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{338B4DFE-2E2C-4338-9E41-E176D497299E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F9639E4A-801B-4843-AEE3-03D9DA199E77}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}
Key Deleted : HKCU\Software\PriceGong
Key Deleted : HKCU\Software\SmartBar
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\TbHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\f
Key Deleted : HKLM\SOFTWARE\Classes\funmoods.dskBnd
Key Deleted : HKLM\SOFTWARE\Classes\funmoods.dskBnd.1
Key Deleted : HKLM\SOFTWARE\Classes\funmoods.funmoodsHlpr
Key Deleted : HKLM\SOFTWARE\Classes\funmoods.funmoodsHlpr.1
Key Deleted : HKLM\SOFTWARE\Classes\funmoodsApp.appCore
Key Deleted : HKLM\SOFTWARE\Classes\funmoodsApp.appCore.1
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{452AE416-9A97-44CA-93DA-D0F15C36254F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BF921DD3-732A-4A11-933B-A5EA49F2FD2C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D83B296A-2FA6-425B-8AE8-A1F33D99FBD6}
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbTask
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbTask.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3196716
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B87F8B63-7274-43FD-87FA-09D3B7496148}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\clbfjfbnelcflpgpklppgplejolacbej
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011441179}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011441179}
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\extensions [{336D0C35-8A85-403a-B9D2-65C292C39087}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzutDtDtBtCzzyDzytBtC0DtC0BtDtCtBzytN0D0Tzu0CtByEyCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=458612221 --> hxxp://www.google.com

*************************

AdwCleaner[R1].txt - [6845 octets] - [14/09/2012 10:30:10]
AdwCleaner[R2].txt - [6856 octets] - [14/09/2012 11:03:52]
AdwCleaner[S2].txt - [7090 octets] - [14/09/2012 11:04:20]

########## EOF - C:\AdwCleaner[S2].txt - [7150 octets] ##########


Per eliminare:

"O23 - Service: Serv Updater (ServUpdater) - ServiceUpd - C:\Documents and Settings\Giovanni\Impostazioni locali\Dati applicazioni\ServUpdater\ServiceUpd.exe"

che resisteva a Hijackthis, ho utilizzato il programma Pserv (si trova presso http://p-nand-q.com/download/pserv_cpl.html), perché non ero capace di cancellarlo dalla modalità provvisoria.

Ho fatto la scansione con Malwarebites (negativa) ed ho rieseguito la scansione con Hijacthis, di cui allego il log qui sotto:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17.35.13, on 14/09/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Alwil Software\Avast5\afwServ.exe
C:\Programmi\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Programmi\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Programmi\File comuni\Nero\Nero BackItUp 4\NBService.exe
C:\Programmi\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: QpBHO Class - {1658D3A1-9E13-4196-A82A-D70D70880F36} - C:\Programmi\Hewlett-Packard\SmartPrint\QuickPrintBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre6\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programmi\Alwil Software\Avast5\aswWebRepIE.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programmi\Alwil Software\Avast5\aswWebRepIE.dll
O4 - HKLM\..\Run: [avast] "C:\Programmi\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Free YouTube Download - C:\Documents and Settings\Giovanni\Dati applicazioni\DVDVideoSoftIEHelpers\freeytvdownloader.htm
O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Documents and Settings\Giovanni\Dati applicazioni\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
O9 - Extra button: HP Smart Print - {22CC3EBD-C286-43aa-B8E6-06B115F74162} - C:\Programmi\Hewlett-Packard\SmartPrint\HPQuickPrintLauncher.exe
O9 - Extra 'Tools' menuitem: HP Smart Print - {22CC3EBD-C286-43aa-B8E6-06B115F74162} - C:\Programmi\Hewlett-Packard\SmartPrint\HPQuickPrintLauncher.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1345664561734
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect119b.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/pro/cabs/as2stubie.cab
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Programmi\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Firewall - AVAST Software - C:\Programmi\Alwil Software\Avast5\afwServ.exe
O23 - Service: FNTDAW - Unknown owner - C:\DOCUME~1\Giovanni\IMPOST~1\Temp\FNTDAW.exe (file missing)
O23 - Service: Servizio di Google Update (gupdate) (gupdate) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Servizio Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Programmi\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Programmi\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Programmi\File comuni\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Uniblue Powersuite Service (Uniblue.PowersuiteSvc) - Unknown owner - C:\Programmi\Uniblue\Powersuite\powersuite_service.exe

--
End of file - 7924 bytes


Mi sembra che il risultato del controllo automatico del log che ho eseguito presso http://www.hijackthis.de/it sia più rassicurante.

Spero di aver risolto i problemi.
Vi ringrazio ancora per la velocità e la gentilezza.
Ciao
Vecchioguzzista



Torna in alto
 
r16
Inviato: Friday, September 14, 2012 10:24:48 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Commenta:
Spero di aver risolto i problemi.

I problemi dovrebbero essere risolti.
Caso mai siamo qui.
Ciao.
Torna in alto
 
Utenti presenti in questo topic
Guest

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » controllo log hijackthis


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.