Aiutamici Forum
Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » log hijack

2 pages: [1] 2
log hijack Opzioni
Topic Precedente · Topic Sucessivo
pokerdassi
Inviato: Thursday, October 18, 2012 11:36:31 AM

Rank: AiutAmico

Iscritto dal : 8/31/2007
Posts: 3,452
ciao, ieri ho fatto un test con hijack perche' facendo una ricerca con google venivo sempre reindirizzato su search.rapidns.net, hijack non so' usarlo bene pero' dal risultato mi dava 6 voci(tutte e sei al nr 17 di HJ) con un IP finale che adesso ho dimenticato, cmq quell'ip non e' mio ma mettendolo nella barra di ricerca era di un server francese c'era' l'ip(che iniziava con 176.XXXX) e un indirizzo ovh sas(credo, neanche nella cronologia trovo piu' l'ip e il server), cmq le ho fixate, cosi' e' sparita ogni traccia di dirottamento, il pc era tornato normale, come e' normale oggi, solo che ho la sensazione che e' piu' lento, per esempio in fase di avvio di solito i gadget mi uscivano in un secondo, stamattina era tutto pronto ma i gadget sono usciti dopo quasi un minuto, ripeto a parte cio'sara' solo la mia impressione, ho la 7mb di alice e con un test(speed test) ho rilevato la velocita' di 7.06mb, quindi posto un log di hijack, il nr 17 non c'e' piu', potete darci un'occhiata?

grazie










Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:22:52, on 18/10/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16450)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Fabio\AppData\Roaming\KoshyJohn.com\MemClean\MemClean.exe
C:\Users\Public\Documents\AppData\PoApp\PService.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 74.208.10.249 gs.apple.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: LinkAirBrowserHelper HistoryTriggerBHO - {21A88CB9-84D2-4020-A2D1-B25A21034884} - C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\LinkAirBrowserHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [PosService] C:\Users\Public\Documents\AppData\PoApp\PLauncher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Memory Cleaner] C:\Users\Fabio\AppData\Roaming\KoshyJohn.com\MemClean\MemClean.exe boot
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIZIO DI RETE')
O8 - Extra context menu item: Download with IDM - C:\Users\Fabio\Downloads\IDM.v6.08.9\Internet Download Manager v6.08.9\Crack\IEExt.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: I&nvia a OneNote - res://C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105
O8 - Extra context menu item: LG Air Sync (R-Click) - Save as Mobile Image - res://C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/206
O8 - Extra context menu item: LG Air Sync (R-Click) - Save as Mobile Memo - res://C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/208
O8 - Extra context menu item: LG Air Sync (R-Click) - Save as Mobile Text file - res://C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/210
O8 - Extra context menu item: LG Air Sync (R-Click) - Set as Mobile Wallpaper - res://C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/205
O8 - Extra context menu item: LG Air Sync Option - res://C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/209
O8 - Extra context menu item: Scarica con Mipony - file://C:\Program Files\MiPony\Browser\IEContext.htm
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {4EC99A0B-E57C-4FBE-B9C4-8428424FBF88} (McciUtilsSpecialFolder Class) - http://77.238.10.101/security/services/static/McciInstaller.cab
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Servizio Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Servizio Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Servizio Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Micro Star SCM - Micro-Star International Co., Ltd. - C:\Program Files\System Control Manager\MSIService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Pos Service (PowerOffer Service) - PowerOfferService - C:\Users\Fabio\AppData\Local\PosService\Pos.exe
O23 - Service: Serv Updater (ServUpdater) - ServiceUpd - C:\Users\Fabio\AppData\Local\ServUpdater\ServiceUpd.exe
O23 - Service: Software Upd (SoftwareUpd) - SoftwareUpdService - C:\Users\Fabio\AppData\Local\SoftwareUpdater\SoftwareUpdService.exe

--
End of file - 7362 bytes





ADESSO IL PC SEMBRA ANDARE BENE(VELOCE E SPEDITO), cmq ho fatto qualche ricerca in rete(non capisco perche' dalla cronologia non c'e' piu' la ricerca di ieri), ho trovato un utente che ha/aveva il mio stesso problema, gli altri lo stavano aiutando facendogli fare scansioni di ogni genere e con tutti i tool, io ho visto solo il log di HJ e manco a farlo a posta, nel nr 17(che poi erano 8 nr 17 di hijack) venivano riportate delle voci attinenti al dns e tutte finivano con il numero 176.31.229.25, il nr. che avevo anche io e che e' l'ip di questo server francese, non so' se questo utente ha risolto(la discussione e' abbastanza datata), ma anche lui aveva/ha questo non so' come chiarlo che dirotta le sue connessioni, infatti se mettete sulla barra di ricerca "ip 176.31.229.25" escono tutte discussioni poco rassicuranti, avro' fatto bene a cancellarle?
Torna in alto
 
Sponsor
Inviato: Thursday, October 18, 2012 11:36:31 AM

 
Torna in alto
 
shapiro
Inviato: Thursday, October 18, 2012 12:15:37 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

ciao hai fatto bene a cancellare quelle voci, solitamente vengono usate dalle infezioni come questa che ancora e' nel tuo pc



C:\Users\Public\Documents\AppData\PoApp\PService.exe


questa fixala con hijackthis

Code:
O4 - HKLM\..\Run: [PosService] C:\Users\Public\Documents\AppData\PoApp\PLauncher.exe


ci sono anche i servizi da eliminare

PowerOffer Service

ServUpdater

SoftwareUpd

per vedere se realmente sei pulito fai questa scansione

Scarica OTL e salvalo sul desktop

Metti la spunta su SCAN ALL USERS.

Sotto output, metti la spunta su minimal output

Clicca sulla freccettina di File Age e seleziona 60 Days

Metti la spunta a LOP Check e Purity Check.

Clicca su RUN SCAN

Lascia fare la scansione senza interferire.

Al termine della scansione trovi 2 log sul desktop. OTL.txt ed Extras.txt, salvali e caricali su Wikisend
Torna in alto
 
pokerdassi
Inviato: Friday, October 19, 2012 10:27:03 AM

Rank: AiutAmico

Iscritto dal : 8/31/2007
Posts: 3,452
ok grazie, intanto dico che era una mia fissazione perche' mi era rimasto il dubbio se avevo fatto bene a cancellare quelle voci al nr 17(ma anche in rete si parla di cambio di dns, domain ecc ecc), infatti tolte scritte e ip e' sparito il reindirizzamento su' rapidns(infatti rapiDNS, Finisce con dns e non a caso).

ok adesso faro' quello che mi hai consigliato, una domanda; che differenza c'e' tra fixare ed eliminare con HJ?


edit; con Hj ho fixato la prima voce, tutto ok, ma le altre 3(quelle da cancellare) non si cancellano, sono le ultime 3 voci dell'elenco, le ultime 23.

ora scarica l'altro programma
Torna in alto
 
shapiro
Inviato: Friday, October 19, 2012 10:34:37 AM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

praticamente quando premi fix checked elimini una chiave o una parte di essa dal registro, e' come metterla in una speciale quarantena , hjt agisce solo sul registro
Torna in alto
 
pokerdassi
Inviato: Friday, October 19, 2012 10:58:00 AM

Rank: AiutAmico

Iscritto dal : 8/31/2007
Posts: 3,452
hai scritto mentre editavo, cmq ho fixato la prima voce, ma le altre tre non si cancellano(le ultime 3 voci dell'elenco), vedendo in rete, anche se voci diverse, molti utenti hanno problemi ad eliminare le voci nr23.

cmq ora scarico l'altro programma.


HO I 2 LOG che devo caricare su wikisend, poi cosa succede, li devo postare?

vado a cricare i due .txt e mi da' errore, provo con firefox-
Torna in alto
 
shapiro
Inviato: Friday, October 19, 2012 11:34:35 AM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164
Commenta:
ma le altre tre non si cancellano(le ultime 3 voci dell'elenco),


non si cancellano cosi', devi prima disabilitarle dai servizi e poi le fixi

postami i log che rimuoviamo tutto, caricali su wikisend
Torna in alto
 
pokerdassi
Inviato: Friday, October 19, 2012 11:45:12 AM

Rank: AiutAmico

Iscritto dal : 8/31/2007
Posts: 3,452
allora ho caricato il file extra su wikisend, ti metto tutti e due i link che mi ha dato

http://wikisend.com/download/331018/Extras.Txt

Extras.Txt">Extras.Txt

ora cerco di caricare l'altro .txt

questo e' download link; http://wikisend.com/download/200064/OTL.Txt


questo e' forum link(la stessa cosa sopra

OTL.Txt">OTL.Txt


tanto il primo e secondo link di ogni file caricato portano alla stessa pagina.
Torna in alto
 
pokerdassi
Inviato: Friday, October 19, 2012 12:16:58 PM

Rank: AiutAmico

Iscritto dal : 8/31/2007
Posts: 3,452
clint--shapiro, i log li ho uppati in wikisend, ho aperto uno .txt, a tratti sembra un log di hijack ma piu' complicato, attendo solo tue nuove perche' se con hj qualcosa si capisce, con questo otl non si capisce davvero nulla, a meno di non esser esperti.
Torna in alto
 
shapiro
Inviato: Friday, October 19, 2012 12:40:33 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164


adesso apri otl e copia sotto "Custom Scans\Fixes" questo codice (non copiare Code:)



Code:
:OTL
PRC - C:\Users\Public\Documents\AppData\PoApp\PService.exe (PService)
SRV - (SoftwareUpd) -- C:\Users\Fabio\AppData\Local\SoftwareUpdater\SoftwareUpdService.exe (SoftwareUpdService)
SRV - (PowerOffer Service) -- C:\Users\Fabio\AppData\Local\PosService\Pos.exe (PowerOfferService)
SRV - (ServUpdater) -- C:\Users\Fabio\AppData\Local\ServUpdater\ServiceUpd.exe (ServiceUpd)
DRV - (VGPU) -- System32\drivers\rdvgkmd.sys File not found
DRV - (UsbGps) -- system32\DRIVERS\lgusbgps.sys File not found
DRV - (MpKsl4c47a63f) -- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3B289B99-43CC-436A-A5AA-81B2CB6BDBB5}\MpKsl4c47a63f.sys File not found
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.findeer.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.findeer.com
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.findeer.com
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.findeer.com
FF - user.js - File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKEY_CURRENT_USER\software\mozilla\SeaMonkey\Extensions\\mozilla_cc@internetdownloadmanager.com: C:\Users\Fabio\AppData\Roaming\IDM\idmmzcc5
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\S-1-5-21-927511499-2580095553-3253916930-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKU\S-1-5-21-927511499-2580095553-3253916930-1001..\Run: [fsm]  File not found
O4 - HKU\S-1-5-21-927511499-2580095553-3253916930-1001..\Run: [LG LinkAir]  File not found
O8 - Extra context menu item: Download ALL with IDA - Reg Error: Value error. File not found
O8 - Extra context menu item: Download remotely with IDA - Reg Error: Value error. File not found
O8 - Extra context menu item: Download with IDA - Reg Error: Value error. File not found
O8 - Extra context menu item: Download with IDM - C:\Users\Fabio\Downloads\IDM.v6.08.9\Internet Download Manager v6.08.9\Crack\IEExt.htm File not found
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: I&nvia a OneNote - res://C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105 File not found
[2012/10/15 18:09:36 | 000,000,000 | ---D | C] -- C:\Users\Fabio\AppData\Local\PowerOffer
[2012/10/15 18:09:34 | 000,000,000 | ---D | C] -- C:\Users\Fabio\AppData\Local\ServUpdater
[2012/10/15 18:09:32 | 000,000,000 | ---D | C] -- C:\Users\Fabio\AppData\Local\PosService
[2012/10/15 17:57:56 | 000,000,000 | ---D | C] -- C:\Users\Fabio\AppData\Local\SoftwareUpdater
@Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:D1B5B4F1



:Files
C:\Users\Fabio\AppData\Roaming\IDM\idmmzcc5
ipconfig /flushdns /c

:commands
[purity]
[Reboot]




premi RUN FIX e allega il log che rilascia

fai anche una scansione con combofix scaricalo sil desktop (non installare la recovery console quando te lo chiede)
Lascia lavorare il programma senza interferire
Allega il rapporto C:\ComboFix.txt nella tua risposta.
Torna in alto
 
pokerdassi
Inviato: Friday, October 19, 2012 1:24:55 PM

Rank: AiutAmico

Iscritto dal : 8/31/2007
Posts: 3,452
la prima cosa che hai detto la posso fare, ma combo non so' neanche come si usa, cmq incomincio con il mettere il codice in otl.

ma otl lo devo resettare come prima?

beh l'ho lasciato cosi' com'e', senza riconfigurarlo come prima, l'operazione e' durata pochissimo(qualche secondo) ma alla fine non e' uscito nessun file di log, solo un'avviso che dovevo riavviare il pc, l'ho fatto ma nessun log.


edit; ho riconfigurato otl come prima ma stessa storia, devo riavviare ma nessun file di log, c'e' anche un'altra cosa che avevo notato prima ma pensavo fosse una mia dimenticanza, quando metto il codice in otl e premo run fix , devo riavviare, come gia' ho detto, ma quando il pc e' di nuovo operativo vedo che visualizzo anche i file che dovrebbero stare nascosti(nel desktop c'ho due file, desktop.ini, se vado dentro visualizzo alcune cartelle che prima non visualizzavo), devo rimettere a posto da opzioni cartella; non visualizzare file e cartelle nascoste.
Torna in alto
 
pokerdassi
Inviato: Friday, October 19, 2012 3:40:03 PM

Rank: AiutAmico

Iscritto dal : 8/31/2007
Posts: 3,452
ecco il file di combo; ma adesso in C// c'ho tante cartelle, prima ne avevo solo 3, combo va disinstallato? fa' impressione questo programma


ComboFix 12-10-18.03 - Fabio 19/10/2012 15:11:20.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.39.1040.18.1013.280 [GMT 2:00]
Eseguito da: c:\users\Fabio\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\100
c:\programdata\AMMYY
c:\programdata\AMMYY\hr
c:\programdata\AMMYY\hr3
c:\programdata\AMMYY\settings3.bin
c:\users\Fabio\AppData\Local\unins000.exe
c:\windows\XSxS
.
.
((((((((((((((((((((((((( Files Creati Da 2012-09-19 al 2012-10-19 )))))))))))))))))))))))))))))))))))
.
.
2012-10-19 13:23 . 2012-10-19 13:24 -------- d-----w- c:\users\Fabio\AppData\Local\temp
2012-10-19 13:23 . 2012-10-19 13:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-10-19 12:56 . 2012-10-12 05:56 6918632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7AA046EA-D847-47DF-9D0E-37855CF01991}\mpengine.dll
2012-10-19 12:26 . 2012-08-30 08:17 6980552 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-10-18 08:36 . 2010-03-09 00:04 -------- d-----w- c:\program files\REG
2012-10-18 08:36 . 2012-07-08 20:40 -------- d-----w- c:\program files\SKIN
2012-10-18 08:36 . 2012-09-21 22:14 -------- d-----w- c:\program files\pl
2012-10-18 08:36 . 2012-06-09 15:51 -------- d-----w- c:\program files\LENG
2012-10-17 15:18 . 2012-10-17 15:18 -------- d-----w- c:\program files\TVdream
2012-10-17 12:06 . 2012-09-24 21:16 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-17 09:28 . 2012-10-17 09:28 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-10-15 16:09 . 2012-10-19 12:25 -------- d-----w- c:\users\Fabio\AppData\Local\PowerOffer
2012-10-15 16:09 . 2012-10-19 12:25 -------- d-----w- c:\users\Fabio\AppData\Local\ServUpdater
2012-10-15 16:09 . 2012-10-19 12:25 -------- d-----w- c:\users\Fabio\AppData\Local\PosService
2012-10-15 15:59 . 2012-10-15 16:00 -------- d-----w- c:\users\Fabio\AppData\Local\Songr
2012-10-15 15:57 . 2012-10-19 12:25 -------- d-----w- c:\users\Fabio\AppData\Local\SoftwareUpdater
2012-10-10 07:40 . 2012-08-24 16:57 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-10-10 07:38 . 2012-06-02 04:36 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-10-10 07:38 . 2012-06-02 04:36 1159680 ----a-w- c:\windows\system32\crypt32.dll
2012-10-10 07:38 . 2012-06-02 04:36 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-10-10 07:38 . 2012-08-31 17:18 1211760 ----a-w- c:\windows\system32\drivers\ntfs.sys
2012-10-10 07:38 . 2012-08-10 23:56 542208 ----a-w- c:\windows\system32\kerberos.dll
2012-10-10 07:38 . 2012-08-30 17:12 3914096 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-10-10 07:38 . 2012-08-30 17:12 3968880 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-09 15:55 . 2012-10-09 15:55 -------- d-----w- c:\users\Fabio\AppData\Roaming\Groovedown_Uninstall
2012-10-05 14:58 . 2012-10-03 10:50 740784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{91FAD3C6-AB09-497E-A6D9-A1459EF25001}\gapaengine.dll
2012-09-30 09:46 . 2012-09-30 09:56 -------- d-----w- c:\users\Fabio\AppData\Local\Riot
2012-09-30 09:45 . 2012-09-30 09:45 -------- d-----w- c:\program files\Riot
2012-09-26 07:51 . 2012-08-21 20:12 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2012-09-21 10:44 . 2012-09-21 10:44 -------- d-----w- c:\programdata\Motive
2012-09-21 10:43 . 2010-09-20 10:13 69632 ----a-w- c:\windows\system32\MCCDevice.dll
2012-09-21 10:43 . 2010-09-20 10:13 6048 ----a-w- c:\windows\system32\MCC16.dll
2012-09-21 10:43 . 2012-09-21 10:44 -------- d-----w- c:\program files\Common Files\Motive
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-09 15:47 . 2012-04-04 07:38 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 15:47 . 2011-12-11 11:09 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-03 10:50 . 2012-02-10 22:00 740784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-09-07 15:04 . 2012-06-23 08:43 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-31 10:27 . 2012-08-15 07:51 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-31 10:27 . 2011-12-24 12:15 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-30 20:03 . 2012-08-30 20:03 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-30 20:03 . 2011-04-27 14:25 99272 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-08-22 17:16 . 2012-09-12 10:30 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-08-22 17:16 . 2012-09-12 10:30 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-08-22 17:16 . 2012-09-12 10:30 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-08-22 17:16 . 2012-09-12 10:30 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-02 16:57 . 2012-09-12 10:30 490496 ----a-w- c:\windows\system32\d3d10level9.dll
2012-10-11 01:05 . 2012-10-17 09:27 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"Memory Cleaner"="c:\users\Fabio\AppData\Roaming\KoshyJohn.com\MemClean\MemClean.exe" [2011-12-06 785489]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-10-06 7772704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-03-31 2221352]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2009-11-06 2244608]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\B2C_AGENT]
2012-03-28 00:53 404568 ----a-w- c:\programdata\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LG LinkAir]
2011-11-16 22:18 2450288 ----a-w- c:\program files\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 07:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R1 MpKsl4c47a63f;MpKsl4c47a63f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3B289B99-43CC-436A-A5AA-81B2CB6BDBB5}\MpKsl4c47a63f.sys [x]
R2 gupdate;Servizio Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R2 PowerOffer Service;Pos Service;c:\users\Fabio\AppData\Local\PosService\Pos.exe [x]
R2 ServUpdater;Serv Updater;c:\users\Fabio\AppData\Local\ServUpdater\ServiceUpd.exe [x]
R2 SoftwareUpd;Software Upd;c:\users\Fabio\AppData\Local\SoftwareUpdater\SoftwareUpdService.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\DRIVERS\lgandbus.sys [x]
R3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\DRIVERS\lganddiag.sys [x]
R3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgandgps.sys [x]
R3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\DRIVERS\lgandmodem.sys [x]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\lgandadb.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 gupdatem;Servizio Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\DRIVERS\lgvmodem.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 MSILiveVirtualCamera;MSI Live Virtual Camera;c:\windows\system32\DRIVERS\MSILiveVirtualCamera.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 pneteth;PdaNet Broadband;c:\windows\system32\DRIVERS\pneteth.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 UsbGps;LGE Mobile USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgusbgps.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Servizio Windows Activation Technologies;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [x]
S2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [x]
S3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\DRIVERS\lgbtport.sys [x]
S3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\DRIVERS\lgbtbus.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
.
.
Contenuto della cartella 'Scheduled Tasks'
.
2012-10-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 15:47]
.
2012-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-15 17:53]
.
2012-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-15 17:53]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.yahoo.it/
uInternet Settings,ProxyOverride = *.local
IE: Download ALL with IDA
IE: Download remotely with IDA
IE: Download with IDA
IE: Download with IDM - c:\users\Fabio\Downloads\IDM.v6.08.9\Internet Download Manager v6.08.9\Crack\IEExt.htm
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: I&nvia a OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
IE: LG Air Sync (R-Click) - Save as Mobile Image - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/206
IE: LG Air Sync (R-Click) - Save as Mobile Memo - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/208
IE: LG Air Sync (R-Click) - Save as Mobile Text file - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/210
IE: LG Air Sync (R-Click) - Set as Mobile Wallpaper - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/205
IE: LG Air Sync Option - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/209
IE: Scarica con Mipony - file://c:\program files\MiPony\Browser\IEContext.htm
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{63343655-A0C6-4728-922E-DE5176C57507}: DhcpNameServer = 192.168.1.1
DPF: {4EC99A0B-E57C-4FBE-B9C4-8428424FBF88} - hxxp://77.238.10.101/security/services/static/McciInstaller.cab
FF - ProfilePath - c:\users\Fabio\AppData\Roaming\Mozilla\Firefox\Profiles\yf2dozaf.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.it
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - ExtSQL: 2012-10-16 14:36; translator@zoli.bod; c:\users\Fabio\AppData\Roaming\Mozilla\Firefox\Profiles\yf2dozaf.default\extensions\translator@zoli.bod.xpi
FF - ExtSQL: 2012-10-16 14:37; artur.dubovoy@gmail.com; c:\users\Fabio\AppData\Roaming\Mozilla\Firefox\Profiles\yf2dozaf.default\extensions\artur.dubovoy@gmail.com.xpi
FF - ExtSQL: 2012-10-16 14:37; {64161300-e22b-11db-8314-0800200c9a66}; c:\users\Fabio\AppData\Roaming\Mozilla\Firefox\Profiles\yf2dozaf.default\extensions\{64161300-e22b-11db-8314-0800200c9a66}.xpi
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
Toolbar-10 - (no file)
HKCU-Run-fsm - (no file)
HKCU-Run-LG LinkAir - (no file)
MSConfigStartUp-APSDaemon - c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
MSConfigStartUp-Google Update - c:\users\Fabio\AppData\Local\Google\Update\GoogleUpdate.exe
MSConfigStartUp-IDMan - c:\program files\Internet Download Manager\IDMan.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-NokiaSuite - c:\program files\Nokia\Nokia Suite\NokiaSuite.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-{0B500125-92A7-40BF-ACF0-45A9221ADE21}_is1 - c:\users\Fabio\AppData\Local\unins000.exe
.
.
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_USERS\S-1-5-21-927511499-2580095553-3253916930-1001_Classes\CLSID\{4a75f2df-1b92-4305-9f12-97b774d52ed6}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:0000002c
"Therad"=dword:00000014
.
[HKEY_USERS\S-1-5-21-927511499-2580095553-3253916930-1001_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):9d,24,6b,fb,7f,08,2d,12,cd,a5,3e,18,a2,4d,dc,bf,f2,0c,08,eb,38,
16,a8,77,10,c9,04,10,ae,30,cc,ef,f4,30,10,4b,13,80,e9,6c,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Ora fine scansione: 2012-10-19 15:29:14
ComboFix-quarantined-files.txt 2012-10-19 13:29
.
Pre-Run: 19.149.361.152 byte disponibili
Post-Run: 18.981.826.560 byte disponibili
.
- - End Of File - - B042875FB63E880EF9E1C61DC179F9DB
Torna in alto
 
shapiro
Inviato: Friday, October 19, 2012 5:08:25 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

guarda se trovi il log di otl in C controlla bene, se non lo trovi riesegui otl come te lho fatto impostare prima e posta il nuovo log
elimina prima i vecchi log
Torna in alto
 
pokerdassi
Inviato: Friday, October 19, 2012 5:19:19 PM

Rank: AiutAmico

Iscritto dal : 8/31/2007
Posts: 3,452
lancio otl e faccio quelle operazioni con i file che ho uppato su wikisend, poi lancio sempre lo stesso exe e ci metto il codice che hai scritto(ho provato sia lasciando la configuazione di default che quella che mi hai dato prima), alla fine(dopo 2 secondi) mi si richiede di fare il reeboot, riavvio ma nessun log.

ma devo prima riuppare i file su wikisend?
Torna in alto
 
shapiro
Inviato: Friday, October 19, 2012 5:22:10 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

prova a vedere in C se lo trovi altrimenti ripeti la scansione come te l'ho fatto impostare prima
Torna in alto
 
pokerdassi
Inviato: Friday, October 19, 2012 5:24:23 PM

Rank: AiutAmico

Iscritto dal : 8/31/2007
Posts: 3,452
in c non c'e' nulla, cosa intendi per prima? metto direttamente il codice oppure riuppo i file in wikisend?
Torna in alto
 
shapiro
Inviato: Friday, October 19, 2012 5:32:16 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

fai cosi'

apri otl e clicca su clean up....aspetta il riavvio poi scaricalo da qui e lo imposti come prima


una volta fatto inserisci di nuovo il codice che ti ho dato e clicca su RUN FIX vedi se rilascia il log
Torna in alto
 
pokerdassi
Inviato: Friday, October 19, 2012 5:33:12 PM

Rank: AiutAmico

Iscritto dal : 8/31/2007
Posts: 3,452
ecco il log nella cartella otl in C


========== OTL ==========
No active process named PService.exe was found!
Service SoftwareUpd stopped successfully!
Service SoftwareUpd deleted successfully!
C:\Users\Fabio\AppData\Local\SoftwareUpdater\SoftwareUpdService.exe moved successfully.
Service PowerOffer Service stopped successfully!
Service PowerOffer Service deleted successfully!
C:\Users\Fabio\AppData\Local\PosService\Pos.exe moved successfully.
Service ServUpdater stopped successfully!
Service ServUpdater deleted successfully!
C:\Users\Fabio\AppData\Local\ServUpdater\ServiceUpd.exe moved successfully.
Service VGPU stopped successfully!
Service VGPU deleted successfully!
File System32\drivers\rdvgkmd.sys File not found not found.
Service UsbGps stopped successfully!
Service UsbGps deleted successfully!
File system32\DRIVERS\lgusbgps.sys File not found not found.
Service MpKsl4c47a63f stopped successfully!
Service MpKsl4c47a63f deleted successfully!
File C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3B289B99-43CC-436A-A5AA-81B2CB6BDBB5}\MpKsl4c47a63f.sys File not found not found.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@microsoft.com/GENUINE\ deleted successfully.
Registry value HKEY_CURRENT_USER\software\mozilla\SeaMonkey\Extensions\\mozilla_cc@internetdownloadmanager.com deleted successfully.
File C:\Users\Fabio\AppData\Roaming\IDM\idmmzcc5 not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\10 not found.
Registry value HKEY_USERS\S-1-5-21-927511499-2580095553-3253916930-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-927511499-2580095553-3253916930-1001\Software\Microsoft\Windows\CurrentVersion\Run\\fsm not found.
Registry value HKEY_USERS\S-1-5-21-927511499-2580095553-3253916930-1001\Software\Microsoft\Windows\CurrentVersion\Run\\LG LinkAir not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download ALL with IDA\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download remotely with IDA\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download with IDA\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&sporta in Microsoft Excel\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\I&nvia a OneNote\ deleted successfully.
C:\Users\Fabio\AppData\Local\PowerOffer folder moved successfully.
C:\Users\Fabio\AppData\Local\ServUpdater\settings folder moved successfully.
C:\Users\Fabio\AppData\Local\ServUpdater folder moved successfully.
C:\Users\Fabio\AppData\Local\PosService\settings folder moved successfully.
C:\Users\Fabio\AppData\Local\PosService folder moved successfully.
C:\Users\Fabio\AppData\Local\SoftwareUpdater\settings folder moved successfully.
C:\Users\Fabio\AppData\Local\SoftwareUpdater folder moved successfully.
Unable to delete ADS C:\ProgramData\TEMP:D1B5B4F1 .
========== FILES ==========
File\Folder C:\Users\Fabio\AppData\Roaming\IDM\idmmzcc5 not found.
< ipconfig /flushdns /c >
Configurazione IP di Windows
Cache del resolver DNS svuotata.
C:\Users\Fabio\Desktop\cmd.bat deleted successfully.
C:\Users\Fabio\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.69.0 log created on 10192012_172727
Torna in alto
 
pokerdassi
Inviato: Friday, October 19, 2012 5:38:40 PM

Rank: AiutAmico

Iscritto dal : 8/31/2007
Posts: 3,452
HO FATTO una scansione con hijack, le 3 voci non ci sono piu'.


log di hijack

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:39:26, on 19/10/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16450)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Fabio\AppData\Roaming\KoshyJohn.com\MemClean\MemClean.exe
C:\Users\Public\Documents\AppData\PoApp\PService.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: LinkAirBrowserHelper HistoryTriggerBHO - {21A88CB9-84D2-4020-A2D1-B25A21034884} - C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\LinkAirBrowserHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Memory Cleaner] C:\Users\Fabio\AppData\Roaming\KoshyJohn.com\MemClean\MemClean.exe boot
O8 - Extra context menu item: LG Air Sync (R-Click) - Save as Mobile Image - res://C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/206
O8 - Extra context menu item: LG Air Sync (R-Click) - Save as Mobile Memo - res://C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/208
O8 - Extra context menu item: LG Air Sync (R-Click) - Save as Mobile Text file - res://C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/210
O8 - Extra context menu item: LG Air Sync (R-Click) - Set as Mobile Wallpaper - res://C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/205
O8 - Extra context menu item: LG Air Sync Option - res://C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/209
O8 - Extra context menu item: Scarica con Mipony - file://C:\Program Files\MiPony\Browser\IEContext.htm
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {4EC99A0B-E57C-4FBE-B9C4-8428424FBF88} (McciUtilsSpecialFolder Class) - http://77.238.10.101/security/services/static/McciInstaller.cab
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Servizio Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Servizio Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Servizio Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Micro Star SCM - Micro-Star International Co., Ltd. - C:\Program Files\System Control Manager\MSIService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe

--
End of file - 5727 bytes
Torna in alto
 
shapiro
Inviato: Friday, October 19, 2012 5:41:24 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

tenuto conto che questo succede spesso vuoi dire agli amici che leggono ( e al sottoscritto) sotto quale nome hai trovato il log?

adesso scarica adwcleaner clicca su delete e allega il log che rilascia
Torna in alto
 
Utenti presenti in questo topic
Guest

2 pages: [1] 2

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » log hijack


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.