PDA

View Full Version : Analizzare un log di hijackthis da soli


MrOZ
25-07-2004, 10:38
Questa è una pag web con uno script x analizzare un log di hijackthis

http://hijackthis.de/index.php?langselect=english

basta copiare il contenuto di hijackthis.log nel box in fondo e premere "analyze" dopodichè avrete una analisi del vostro log.

- Attenzione xò che questo sistema è ancora in fase di sviluppo, quindi non riconosce ancora tutti i prog.


Mentre qui è disponibile un tutorial su HiJackThis:
http://www.bleepingcomputer.com/tutorials/tutorial42.html

Ciao.

Bandit
25-07-2004, 10:39
ok;)

netquik
25-07-2004, 14:09
ottimo MrOz!

mi sembra utilizzi le informazioni di pacman per gli startups o erro?

ciauz

wgator
25-07-2004, 14:24
:)

wow... mica male... e ci prende anche parecchio :D

ottimo ausilio all'interpretazione dei log...

Edit

Ho fatto un po' di esperimenti con i log appestati :D di alcuni utenti del forum. Come giustamente mette in evidenza MrOz un po' di cautela non guasta prima di cancellare qualcosa, comunque sembra piuttosto affidabile.

Forse meriterebbe di essere messo in evidenza... cosa ne pensi Eraser? :)

eraser
25-07-2004, 17:52
si lo metto in rilievo

scusate ma sono tornato ieri e mi sono perso un pò di cose :D

wgator
25-07-2004, 18:20
Originariamente inviato da eraser
si lo metto in rilievo

scusate ma sono tornato ieri e mi sono perso un pò di cose :D

:spam: Uhmm... niente di grave o importante, purtroppo non sono passate a trovarci nè Naomi nè Megane sul nostro forum preferito :cry:

... solo virus, trojan e malware assortiti...

:D ciao

The Lenny
26-07-2004, 20:10
Originariamente inviato da MrOZ
Questa è una pag web con uno script x analizzare un log di hijackthis

http://hijackthis.de/index.php?langselect=english

basta copiare il contenuto di hijackthis.log nel box in fondo e premere "analyze" dopodichè avrete una analisi del vostro log.

- Attenzione xò che questo sistema è ancora in fase di sviluppo, quindi non riconosce ancora tutti i prog.

Ciao.

In effetti, qualche prg ancora sfugge, ma non credo ci sia da strapparsi i capelli x questo..
EBBRAVO MROZ!!
:winner:

MrOZ
01-08-2004, 16:05
Beh cmq dal giorno in cui ho postato il link hanno fatto notevoli progressi... ora riconosce molti + progr installati e non pericolosi...

...avevo mandato loro una mail informandoli che il log checker non riconosceva i file di DialerControl, BOClean e L'n'S, ora invece lo fa ;)

Idx
01-08-2004, 16:17
Veramente ottimo! Ora i log sono più comprensibili! ;)

fabius00
04-08-2004, 14:11
mni da questo a me

http://hijackthis.de/logfiles/301ed24a1de2e6e4d8f11a5db4fe91aa.html

wgator
05-08-2004, 18:39
Ciao,

:D :sofico: hehehe, ora, non so perchè :eek: riconosce come "pericoloso" il pulsante "collegamenti" sulla barra degli strumenti di Internet explorer.

Fino ad un paio di giorni lo considerava solo "sconosciuto"

Edit del 07/08/04:

Abbiamo scoperto che gli sfugge (segnalandola come sicura) questa cosetta qua:
O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe

che invece sembrerebbe appartenere a questo trojan:

Name: Mojuo.w32
Type: Trojan
File Name: mcc.exe
Found: 06.23.2004
Packer: UPX based
Installation: Copies itself to "Windows\System32" and registers itself in autostartup key [HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ CurrentVersion\ Run] "Multimedia Codecs" = “%system%\mcc.exe”
Size (bytes): 36864
Components: mcc.exe

Il Log Analizer invece dice che:

The entered application Multimedia Codecs was identified: Multimedia KBDorMULTIMEDIA KEYBOARD. Hit rate: 43,08 % (result)

Morale: ricontrollare tutto anche con gli antichi sistemi :D

iron84
16-08-2004, 22:41
Grazie a questo tread, sto imparando ad analizzarmi da solo il log di HijackThis. Ho già trovato degli spyware.... Poi, una volta terminata la mia analisi, proverò a far analizzare il log in quella pagina che analizza i log per vedere il risultato del duro lavoro.
Volevo però porVi una domanda.
Per le righe O2 e O3 che si deve guardare la pagina www.sysinfo.org/bholist.php, e se l'oggetto in questione è classificato come X (spyware), come L ("buono"), O(sotto dibattito) e ?. Ma a me capita che una riga non viene riconosciuta all'interno del sito: è la seguente:

O3 - Toolbar: (no name) - {31D1CA78-F919-4198-8DA5-AB6F44E4AB28} - (no file)
come bisogna comportarsi in questi casi?


Un ultima precisazione, cosa significano le diciture "BHO" e "LT"in piccolo vicino alle lettere sopra-citate?

Vi ringrazio molto.

MrOZ
19-08-2004, 01:52
Originariamente inviato da iron84
Grazie a questo tread, sto imparando ad analizzarmi da solo il log di HijackThis. Ho già trovato degli spyware.... Poi, una volta terminata la mia analisi, proverò a far analizzare il log in quella pagina che analizza i log per vedere il risultato del duro lavoro.
Volevo però porVi una domanda.
Per le righe O2 e O3 che si deve guardare la pagina www.sysinfo.org/bholist.php, e se l'oggetto in questione è classificato come X (spyware), come L ("buono"), O(sotto dibattito) e ?. Ma a me capita che una riga non viene riconosciuta all'interno del sito: è la seguente:

O3 - Toolbar: (no name) - {31D1CA78-F919-4198-8DA5-AB6F44E4AB28} - (no file)
come bisogna comportarsi in questi casi?


Un ultima precisazione, cosa significano le diciture "BHO" e "LT"in piccolo vicino alle lettere sopra-citate?

Vi ringrazio molto.


Quella stringa 03 è un rimasuglio, puoi eliminarla.

"BHO" significa browser helper object e sta a rappresentare qualsiasi cosa/file che modifica le impostazioni o la struttura del browser.

netquik
19-08-2004, 02:03
cosa significano le diciture "BHO" e "LT"in piccolo vicino alle lettere sopra-citate?


per BHO ti ha detto MrOZ

per LT... penso tu volessi dire TB che ovviamente sta per ToolBar

Nicky
20-08-2004, 10:05
Questa è una buona notizia.
Ultimamente sto diventando una maniaca della sicurezza e rompere sempre le scatole qui non mi sembra il caso.
Quando torno dalle ferie vedo come funge :p

MrOZ
26-08-2004, 18:53
Originariamente inviato da Nicky
Questa è una buona notizia.
Ultimamente sto diventando una maniaca della sicurezza e rompere sempre le scatole qui non mi sembra il caso.
Quando torno dalle ferie vedo come funge :p


TOH... chi si rivede :p

Attenta che 6 agli sgoccioli... sono gli ultimi gg. :D :D GODITELI!!! :gluglu:


ciao :vicini: ...ed a presto :cincin:

iron84
27-08-2004, 23:22
So di aver letto in un tread che si diceva che se non si hanno problemi con il computer di non

postare log di hijackthis. Io a perte che qualche volta crasha Explorer o si blocca wmplayer non ho

grossi problemi, ma penso che si tratti per il fatto che devo formattare e quindi non mi preoccupo.
Il fatto è che adesso, appunto prima di formattare, stavo sperimentando un po di cose tra le quali

questa della sicurezza.
Ho usato poi spybot.
Ora vi posto il log prima e poi, di seguito ci metto quello "pulito da me". (Devo ancora eliminare

DAP) per vedere se ho fatto un buon lavoro e quindi, se tutto va bene dovrei riuscire a cavarmela da

solo senza abusare del vostro tempo.

Le mie domande sono:
1) Come mai DAP e Statbar vengono considerati spyware?
2) Cos'è secondo voi quel processo attivo rundll32.exe? Non mi sembra sia zozzeria di win.
3) Non so cosa corrisponde questa riga => F:\WINDOWS\downlo~1\f4bwd1g\jvxtf2.exe





Logfile of HijackThis v1.98.2
Scan saved at 18.49.00, on 15/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Programmi\Sygate\SPF\smc.exe
F:\WINDOWS\Explorer.EXE
F:\Documents and Settings\Diego\Desktop\RedLine\Taskbar.exe
F:\programmi\ASUS\AsusProb.exe
F:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
F:\SCANJET\PrecisionScanLT\hppwrsav.exe
F:\Programmi\File comuni\Real\Update_OB\realsched.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\Programmi\QuickTime\qttask.exe
F:\PROGRA~1\NORTON~1\navapw32.exe
F:\Programmi\Elaborate Bytes\CloneCD\CloneCDTray.exe
F:\Programmi\D-Tools\daemon.exe
F:\PROGRAMMI\EASY FILE PROTECTOR\EFPA.exe
F:\WINDOWS\System32\rundll32.exe
F:\Programmi\File comuni\Nokia\NCLTools\NclTray.exe
F:\Programmi\Nokia\Nokia PC Suite 5\DataLayer.exe
C:\sj652\hpupdate.exe
F:\Programmi\Messenger\msmsgs.exe
F:\Programmi\ATI Multimedia\RemCtrl\ATIX10.exe
F:\Programmi\ATI Multimedia\main\ATISched.EXE
F:\Programmi\vmtu\VMTU.Exe
F:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
F:\Programmi\File comuni\Nokia\Services\ServiceLayer.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\System32\rundll32.exe
F:\Programmi\Digisoft AntiDialer\AntiDialer.exe
F:\WINDOWS\downlo~1\f4bwd1g\jvxtf2.exe
F:\Documents and Settings\Diego\Desktop\redline\gameutil.exe
F:\Programmi\SEC\Natural Color\NaturalColorLoad.exe
F:\Programmi\Norton AntiVirus\navapsvc.exe
F:\Programmi\Palick Soft\SIGuardian\SIGuardian.exe
F:\Programmi\Globe Software\StatBar\StatBar.exe
F:\Programmi\File comuni\Real\Update_OB\rnathchk.exe
F:\Documents and Settings\Diego\Impostazioni locali\Temp\HijackThis.exe
F:\Programmi\Expert System\PlanetGate Trio\Point&Go.exe
F:\Programmi\Expert System\PlanetGate Trio\txtuser.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - F:\Programmi\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programmi\Adobe\Acrobat

5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -

F:\Programmi\NewDotNet\newdotnet6_22.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Programmi\Norton

AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Programmi\Norton

AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - F:\Programmi\DAP\DAPIEBar.dll
O3 - Toolbar: (no name) - {31D1CA78-F919-4198-8DA5-AB6F44E4AB28} - (no file)
O3 - Toolbar: UCmore - The Search Accelerator Toolbar - {44BE0690-5429-47f0-85BB-3FFD8020233E} -

F:\Programmi\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [RedLine Taskbar] F:\Documents and Settings\Diego\Desktop\RedLine\Taskbar.exe
O4 - HKLM\..\Run: [ASUS Probe] f:\programmi\ASUS\AsusProb.exe
O4 - HKLM\..\Run: [EM_EXEC] F:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [hppwrsav] F:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [TkBellExe] F:\Programmi\File comuni\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ATIPTA] F:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "F:\Programmi\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "F:\Programmi\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "F:\Programmi\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "F:\Programmi\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [Prozrachnaya2.exe] F:\Programmi\DBSOFT\PYE.exe
O4 - HKLM\..\Run: [mspwr] F:\WINDOWS\System32\pwrupst.exe
O4 - HKLM\..\Run: [PCXLSE] F:\Programmi\PCAccel6000\pcaccel.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 F:\PROGRA~1\NewDotNet\newdotnet6_22.dll,NewDotNetStartup
O4 - HKLM\..\Run: [RVP] "F:\Programmi\RVP\bpc.e*e"
O4 - HKLM\..\Run: [webHancer Survey Companion] "F:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [SmcService] F:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Nokia Tray Application] F:\Programmi\File comuni\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [DataLayer] F:\Programmi\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [HP Update 3400C] C:\sj652\hpupdate.exe 3400C
O4 - HKCU\..\Run: [MSMSGS] "F:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Remote Control] F:\Programmi\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ATI Scheduler] F:\Programmi\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [WashAndGo - Cleanup of old Backupfiles] "F:\Programmi\WashAndGo\checker.exe

/check"
O4 - HKCU\..\Run: [VMTU] F:\Programmi\vmtu\VMTU.Exe
O4 - Startup: SIGuardian.lnk = F:\Programmi\Palick Soft\SIGuardian\SIGuardian.exe
O4 - Startup: StatBarr.lnk = F:\Programmi\Globe Software\StatBar\StatBar.exe
O4 - Global Startup: Acrobat Assistant.lnk = F:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = F:\Programmi\File comuni\Adobe\Calibration\Adobe

Gamma Loader.exe
O4 - Global Startup: Digisoft AntiDialer.lnk = F:\Programmi\Digisoft AntiDialer\AntiDialer.exe
O4 - Global Startup: gameutil.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = F:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: &Download with &DAP - F:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - F:\Programmi\ATI

Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - F:\PROGRA~1\DAP\DAP.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: F:\Programmi\Internet Explorer\Plugins\NPDocBox.dll


=====================================================================================
Dopo la pulizia

Logfile of HijackThis v1.98.2
Scan saved at 23.51.49, on 27/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Programmi\Sygate\SPF\smc.exe
F:\WINDOWS\Explorer.EXE
F:\Documents and Settings\Diego\Desktop\RedLine\Taskbar.exe
F:\programmi\ASUS\AsusProb.exe
F:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
F:\SCANJET\PrecisionScanLT\hppwrsav.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Programmi\File comuni\Real\Update_OB\realsched.exe
F:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\Programmi\QuickTime\qttask.exe
F:\PROGRA~1\NORTON~1\navapw32.exe
F:\Programmi\Elaborate Bytes\CloneCD\CloneCDTray.exe
F:\PROGRAMMI\EASY FILE PROTECTOR\EFPA.exe
F:\Programmi\D-Tools\daemon.exe
F:\Programmi\File comuni\Nokia\NCLTools\NclTray.exe
F:\Programmi\Nokia\Nokia PC Suite 5\DataLayer.exe
F:\Programmi\Messenger\msmsgs.exe
F:\Programmi\ATI Multimedia\RemCtrl\ATIX10.exe
F:\Programmi\ATI Multimedia\main\ATISched.EXE
F:\WINDOWS\System32\Ati2evxx.exe
F:\Programmi\File comuni\Nokia\Services\ServiceLayer.exe
F:\Programmi\vmtu\VMTU.Exe
F:\WINDOWS\downlo~1\f4bwd1g\jvxtf2.exe
F:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
F:\Programmi\Digisoft AntiDialer\AntiDialer.exe
F:\Documents and Settings\Diego\Desktop\redline\gameutil.exe
F:\WINDOWS\System32\rundll32.exe
F:\Programmi\SEC\Natural Color\NaturalColorLoad.exe
F:\Programmi\Norton AntiVirus\navapsvc.exe
F:\Programmi\Palick Soft\SIGuardian\SIGuardian.exe
F:\Programmi\Globe Software\StatBar\StatBar.exe
F:\Documents and Settings\Diego\Impostazioni locali\Temp\HijackThis.exe

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - F:\Programmi\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programmi\Adobe\Acrobat

5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\Spybot - Search &

Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Programmi\Norton

AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Programmi\Norton

AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - F:\Programmi\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [RedLine Taskbar] F:\Documents and Settings\Diego\Desktop\RedLine\Taskbar.exe
O4 - HKLM\..\Run: [ASUS Probe] f:\programmi\ASUS\AsusProb.exe
O4 - HKLM\..\Run: [EM_EXEC] F:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [hppwrsav] F:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [TkBellExe] F:\Programmi\File comuni\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ATIPTA] F:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "F:\Programmi\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "F:\Programmi\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "F:\Programmi\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "F:\Programmi\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [mspwr] F:\WINDOWS\System32\pwrupst.exe
O4 - HKLM\..\Run: [PCXLSE] F:\Programmi\PCAccel6000\pcaccel.exe
O4 - HKLM\..\Run: [SmcService] F:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Nokia Tray Application] F:\Programmi\File comuni\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [DataLayer] F:\Programmi\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Remote Control] F:\Programmi\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ATI Scheduler] F:\Programmi\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [WashAndGo - Cleanup of old Backupfiles] "F:\Programmi\WashAndGo\checker.exe

/check"
O4 - HKCU\..\Run: [VMTU] F:\Programmi\vmtu\VMTU.Exe
O4 - Startup: SIGuardian.lnk = F:\Programmi\Palick Soft\SIGuardian\SIGuardian.exe
O4 - Startup: StatBarr.lnk = F:\Programmi\Globe Software\StatBar\StatBar.exe
O4 - Global Startup: Acrobat Assistant.lnk = F:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = F:\Programmi\File comuni\Adobe\Calibration\Adobe

Gamma Loader.exe
O4 - Global Startup: Digisoft AntiDialer.lnk = F:\Programmi\Digisoft AntiDialer\AntiDialer.exe
O4 - Global Startup: gameutil.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = F:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: &Download with &DAP - F:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - F:\Programmi\ATI

Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - F:\PROGRA~1\DAP\DAP.EXE
O12 - Plugin for .spop: F:\Programmi\Internet Explorer\Plugins\NPDocBox.dll





Ringrazio molto e scusate la lunghezza.
P.S. Molto utile la guida per hijackthis

Nicky
08-09-2004, 13:16
Edit: risolto da sola... :p

Max The Carret
08-09-2004, 15:10
allora, mi son beccato un trojan:rolleyes: , se non era per zone alarm che lo bloccava chissà se me ne accorgevo, avg lo ha trovato il giorno seguente dopo aver fatto l'aggiornamento. ma non lo toglie.
fatto scansioni in rete, individuato, non tolto.
fatto log con hijackthis, individuato:rolleyes:
il fatto è che ho appena formattato e me ne sono accorto subito dopo, chissà dove si era intanato... impossibile averlo preso nei tre minuti in cui zone era disattivato mentre facevo l'up.
non mi costa nulla riformattare, ma se risiede ancora nei documenti? penso mi sia entrato attraverso un p2p, oppure con mirc. si chiama linux.exe, trojan/irc/backdoor.sdbot.47

mi aiutate a toglierlo? vi posto il log:
grazie per l'aiuto :)

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\soundman.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
D:\Service Disk\html2pop3117betawin32\html2pop3.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Outlook Express\msimn.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\iTunes\iTunes.exe
D:\Service Disk\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xoomer.virgilio.it/pronius
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmi\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Linux.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Update Machine] Linux.exe
O4 - Startup: Collegamento a html2pop3.lnk = D:\Service Disk\html2pop3117betawin32\html2pop3.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{794D9CDA-DCD4-4A81-9BE4-D4F51C3A0A15}: NameServer = 80.18.114.155 151.99.125.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{794D9CDA-DCD4-4A81-9BE4-D4F51C3A0A15}: NameServer = 80.18.114.155 151.99.125.1

BadMirror
09-09-2004, 16:13
.

MrOZ
12-09-2004, 16:40
Originariamente inviato da Max The Carret
allora, mi son beccato un trojan:rolleyes: , se non era per zone alarm che lo bloccava chissà se me ne accorgevo, avg lo ha trovato il giorno seguente dopo aver fatto l'aggiornamento. ma non lo toglie.
fatto scansioni in rete, individuato, non tolto.
fatto log con hijackthis, individuato:rolleyes:
il fatto è che ho appena formattato e me ne sono accorto subito dopo, chissà dove si era intanato... impossibile averlo preso nei tre minuti in cui zone era disattivato mentre facevo l'up.
non mi costa nulla riformattare, ma se risiede ancora nei documenti? penso mi sia entrato attraverso un p2p, oppure con mirc. si chiama linux.exe, trojan/irc/backdoor.sdbot.47

mi aiutate a toglierlo? vi posto il log:
grazie per l'aiuto :)



NON POSTATE QUI I LOG DI HIJACHTHIS DA FAR ANALIZZARE AD ALTRI... in questo 3D non ve li visionerà nessuno.

Aprite un 3D nuovo, specificando + informazioni possibili.

Grazie.

Max The Carret
12-09-2004, 16:45
ok, grazie :)
pensavo ci fosse un trhead specifico, e non avendolo trovato...

cmq, lo ho analizzato in rete, ma non riuscendo a togliere il trojan, ho formattato :D

ciao

Matrixbob
29-09-2004, 18:00
Bisogna che il risultato siano tutte V verdi oppure sono ammesse anche le icone gialle?!

Rosse ovviamente no :) giusto?!

gabryboom
29-09-2004, 22:29
scusate ma hijackthis definisce il file Mqeuwxsrgbzo [c:\windows\system32\zdablpu.exe] (presente nella lista di startup) come sospetto,
ma a me sembra chiaramente un trojan
per di più all'avvio di windows xp si apre la connessione remota
che faccio ... posso rimuovere questo file con regcleaner oppure è un file di windows?????

:confused: :confused: :confused:

Matrixbob
29-09-2004, 23:19
Originariamente inviato da gabryboom
scusate ma hijackthis definisce il file Mqeuwxsrgbzo [c:\windows\system32\zdablpu.exe] (presente nella lista di startup) come sospetto,
ma a me sembra chiaramente un trojan
per di più all'avvio di windows xp si apre la connessione remota
che faccio ... posso rimuovere questo file con regcleaner oppure è un file di windows?????

:confused: :confused: :confused:
Non so se questo è il 3D giusto per discuterne, ma non ho mai visto un simile file di winzoz.
Prova con tutti gli antispyware consigliati dal forum (Lavasoft & co).
Prova con ewido o The Cleaner per vedere se è un trojan.
Inoltre regcleaner dovrebbe servire solo a pulire il registro e non i file dal PC, almeno il nome già suggerisce quello ... e poi non mi ricordo facce faville ... :rolleyes:

wgator
30-09-2004, 07:34
Originariamente inviato da Matrixbob
Bisogna che il risultato siano tutte V verdi oppure sono ammesse anche le icone gialle?!

Rosse ovviamente no :) giusto?!

Ciao,

bè... il motore di analisi per hijackthis è molto utile per fornire una traccia ma non va considerato la bibbia.

Le icone verdi normalmente sono file legittimi, quelle arancio dovrebbero essere controllate manualmente (si mette il nome del file in Google e si cerca di capire cos'è) a volte sono files di sistema o di programmi che non vengono riconosciuti a volte sono schifezze.

Anche per quanto riguarda le icone rosse è meglio fare un controllino prima di cancellarle, non è infrequente che il motore consideri infetti file che invece sono regolari.

Uno per tutti, viene considerato pericoloso questo:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti

Si tratta invece del pulsante "collegamenti" sulla barra di Explorer che sarà sicuramente inutile ma non certo pericoloso :p

In conclusione: quel motore è molto utile però conviene fare anche un controllo incrociato con google perchè non è infallibile :)

High Speed
20-11-2004, 19:12
volevo dire grazie a chi ha inventato questo software ....
oggi grazie a lui sono riuscito a recuperare un pc che non voleva saperne di connettersi ad internet dopo avergli estirpato (con Kaspersky) 97 virus di almeno 30 tipi diversi, 250 (tra processi, chiavi di registro e files) elementi negativi con ad aware ed un paio di fix dal CWSrhedder.

Mi aveva fatto impazzire perchè la rete locale funzionava poi dopo aver fatto la prova del 9 con un "modem" adsl usb diretto quando ho visto che non si connetteva neanche in quel modo sono ricorso appunto al Hijackthis ed ho scoperto la causa semplicemente leggendo la scansione (cioè senza nemmeno allegare il log sul sito)....
la causa era il lsp.dll e relativo winsock stack, il programma mi ha indirizzato su un sito a cui devo dire veramente grazie (www.cexx.org/lspfix.htm) da cui appunto ho scaricato il fix riparando win xp.

Certo che questo pc è di una società, e conteneva troppi dati importanti per essere tenuto in quelle condizioni.... :rolleyes: no comment va....

Un grazie, ovviamente, anche a questo forum ed a MrOZ che diverso tempo addietro aveva segnalato questo programma, che a mia volta avevo pensato bene di mettere sulla mia Memory usb per i soccorsi di emergenza.
Ciao

fedved
23-03-2005, 17:19
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab

i due 04 ..... linux.exe mi puzzano come anche O4 - Startup: Collegamento a html2pop3.lnk = D:\Service Disk\html2pop3117betawin32\html2pop3.exe

e gli ultimi 2 dipendono dal tuo provider

BravoGT83
11-05-2005, 20:57
cacchio c'era già un 3d per hijackthis :rolleyes:

3dsst
18-05-2005, 13:38
volevo dire grazie a chi ha inventato questo software ....
oggi grazie a lui sono riuscito a recuperare un pc che non voleva saperne di connettersi ad internet dopo avergli estirpato (con Kaspersky) 97 virus di almeno 30 tipi diversi, 250 (tra processi, chiavi di registro e files) elementi negativi con ad aware ed un paio di fix dal CWSrhedder.

Mi aveva fatto impazzire perchè la rete locale funzionava poi dopo aver fatto la prova del 9 con un "modem" adsl usb diretto quando ho visto che non si connetteva neanche in quel modo sono ricorso appunto al Hijackthis ed ho scoperto la causa semplicemente leggendo la scansione (cioè senza nemmeno allegare il log sul sito)....
la causa era il lsp.dll e relativo winsock stack, il programma mi ha indirizzato su un sito a cui devo dire veramente grazie (www.cexx.org/lspfix.htm) da cui appunto ho scaricato il fix riparando win xp.

Certo che questo pc è di una società, e conteneva troppi dati importanti per essere tenuto in quelle condizioni.... :rolleyes: no comment va....

Un grazie, ovviamente, anche a questo forum ed a MrOZ che diverso tempo addietro aveva segnalato questo programma, che a mia volta avevo pensato bene di mettere sulla mia Memory usb per i soccorsi di emergenza.
Ciao
;)

peppogio
21-08-2005, 16:58
Ottimo link... ora ne capisco un po' di più! :D

harry potter 87
30-07-2006, 17:32
io ho cominciato ad usarlo adesso :D vedo che dall'ultimo post è passato un'anno :D è ancora utile come programma?

juninho85
30-07-2006, 21:35
io ho cominciato ad usarlo adesso :D vedo che dall'ultimo post è passato un'anno :D è ancora utile come programma?
utile?prova ad aprire il thread sulle discussioni ufficiali :D

harry potter 87
31-07-2006, 17:45
utile?prova ad aprire il thread sulle discussioni ufficiali :D

:doh: :doh: scusatemi :D

byker
08-09-2006, 18:11
Ciao a tutti
vorrei sapere una volta analizzato il log come devo procedere per eliminare i files infetti grazie.
Questo è il risultato dell'analisi del log.


Entry Kind
(Safe, Nasty, Unknown) Description Tip
Logfile of HijackThis v1.99.1
Safe. Shows the version of HijackThis an. The newest version is: v1.99.1!
This should be the newest version. (v1.99.1)
Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Safe. Shows the version of your Internet Explorer. Newest Version is: 6.00.2900.2180!
This should be the newest version. (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\winlogon.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\services.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\lsass.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\Ati2evxx.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\svchost.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\System32\svchost.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\spoolsv.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\Programmi\ewido anti-spyware 4.0\guard.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
Safe. running process. (MDM.EXE)
Machine Debug Manager. Used by developers.


C:\Programmi\Eset\nod32krn.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\slmdmsr.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\svchost.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\Ati2evxx.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\Explorer.EXE
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\SOUNDMAN.EXE
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
Safe. running process. (HPWuSchd2.exe)
Part of Hewlett-Packard

Possibly nasty! According to our database this process runs normally in c:\programme\hewlett-packard\hp software update\! Check if you know this process and arrange a viruscheck where required.
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
Safe. running process. (DataLayer.exe)
Nokia DataLayer


C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
Safe. running process. (LaunchApplication.exe)
Nokia PC Suite 6


C:\Programmi\Eset\nod32kui.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
Safe. running process. (SERVIC~1.EXE)
Nokia PC Suite, F-Secure Backweb Client


C:\Programmi\ewido anti-spyware 4.0\ewido.exe
Safe. running process. (ewido.exe)
ewido anti-malware

Possibly nasty! According to our database this process runs normally in c:\programme\ewido anti-malware 4.0\! Check if you know this process and arrange a viruscheck where required.
C:\WINDOWS\system32\ctfmon.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\Programmi\Messenger\msmsgs.exe
Safe. running process. (msmsgs.exe)
MSN Messenger


C:\Programmi\Phone\Skype.exe
Safe. running process. (Skype.exe)


Possibly nasty! According to our database this process runs normally in c:\programme\skype\phone\! Check if you know this process and arrange a viruscheck where required.
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
Safe. running process. (PcSync2.exe)
Nokia PC Suite 6


C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
Safe. running process. (mpbtn.exe)
System tray icon for the Virtual Assistant from AT&T Broadband, used to communicate internet problems via the network rather than telephone. Available via desktop shortcut or Start -> Programs - not required
Not dangerous, but unnecessary.

C:\Programmi\HP\Digital Imaging\bin\hpqimzone.exe
Safe. running process. (hpqimzone.exe)
Hewlett-Packard


C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
Safe. running process. (hpqtra08.exe)
HP Digital Imaging


C:\Programmi\Kodak\Kodak EasyShare software\bin\EasyShare.exe
Safe. running process. (EasyShare.exe)



C:\Programmi\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
Unknown running process. (KodakSoftwareUpdater.exe)

This is a unknown process.

C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
Safe. running process. (hpqSTE08.exe)
Hewlett-Packard Digital Imaging


C:\Programmi\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
Safe. running process. (hprblog.exe)
Hewlett-Packard Digital Imaging


C:\Programmi\Internet Explorer\iexplore.exe
Safe. running process. (iexplore.exe)
Internet Explorer - Wir empfehlen einen sichereren alternativen Browser zu verwenden. (z.B. Firefox)


C:\Documents and Settings\Stefano Pacini\Documenti\My Skype Received Files\hijackthis_199\HijackThis.exe
Safe. running process. (HijackThis.exe)
Tool, mit dem sie dieses Logfile erzeugt haben. Das Programm sollte so angelegt sein ! C:\Programme\HijackThis\HijackThis.exe
Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups!
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
Safe. This page has been identified as safe.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
Safe. Entries found in this registry zone are potentially nasty. This application ([06849E9F-C8D7-4D59-B87D-784B7D6BE0B3] - Result: 06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) has been checked. Hit rate: 100,00%

O2 - BHO: (no name) - {18701B47-164D-48C2-89E7-D24D0F385585} - (no file)
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([18701B47-164D-48C2-89E7-D24D0F385585] - Result: ) has been checked. Hit rate: 0,00%
Unknown application.
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
Safe. Entries found in this registry zone are potentially nasty. This application ([AA58ED58-01DD-4d91-8333-CF10577473F7] - Result: AA58ED58-01DD-4d91-8333-CF10577473F7) has been checked. Hit rate: 100,00%

O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
Safe. Entries found in this registry zone are potentially nasty. This application ([EF99BD32-C1FB-11D2-892F-0090271D4F88] - Result: EF99BD32-C1FB-11D2-892F-0090271D4F88) has been checked. Hit rate: 100,00%

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
Safe. Entries found in this registry zone are potentially nasty. This application ([2318C2B1-4965-11d4-9B18-009027A5CD4F] - Result: 2318C2B1-4965-11D4-9B18-009027A5CD4F) has been checked. Hit rate: 97,22%

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
Safe. HP software updates. If a shortcut doesn\'t exist create your own and run it manually
Hit rate: 94,44 % (result)
Not dangerous, but unnecessary.
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
Safe. Nokia PC Suite 5 - "A collection of powerful tools that you can use to manage your phone features and data." Synchronize the phone with, for example Outlook. You can also use it to browse your phone, edit the phone list and so on
Hit rate: 100,00 % (result)

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
Safe. Nokia PC Suite 6
Hit rate: 100,00 % (result)

O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
Safe. Ewido Anti-Malware
Hit rate: 100,00 % (result)

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
Safe. CTFMon is involved with the language/alternative input services in Office XP. CTFMON.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don\'t need these features. For more info on ctfmon see here. CTFMON can be disabled from Control Panel, Text & Speech Services
Hit rate: 55,00 % (result)

O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
Safe. Windows Messenger utility. If you don\'t use Windows Messenger, this can be annoying. Available via Start -> Programs. Go to Windows Messenger > Tools > Options > Preferences and uncheck "Run this program when Windows starts"
Hit rate: 100,00 % (result)

O4 - HKCU\..\Run: [Skype] "C:\Programmi\Phone\Skype.exe" /nosplash /minimized
Safe. "Skype is free and simple software that will enable you to make free calls anywhere in the world in minutes"
Hit rate: 100,00 % (result)
Not dangerous, but unnecessary.
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
Safe. Nokia PC Suite 6
Hit rate: 100,00 % (result)

O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O4 - Global Startup: Avvio rapido di HP Image Zone.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Safe. Part of Acrobat Reader 7
Hit rate: 72,03 % (result)

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
Safe. HP digital imaging monitor; can apparently be launched manually.
Hit rate: 96,43 % (result)
Not dangerous, but unnecessary.
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Programmi\Kodak\Kodak EasyShare software\bin\EasyShare.exe
Safe. Software bundled with Kodak digital cameras to manage the connection between the PC and the Camera. Can be started manually.
Hit rate: 96,15 % (result)

O4 - Global Startup: Kodak software updater.lnk = C:\Programmi\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
Unknown
Hit rate: 0,00 % (result)
Unknown application.
O4 - Global Startup: LG SyncManager.lnk = ?
Safe.
Hit rate: 66,67 % (result)

The entry is unnecessary and can be fixed.
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Safe. The entry E&sporta in Microsoft Excel has been identified as safe.
If the entry 'E&sporta in Microsoft Excel ' is not needed anymore, it should be fixed.
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
Safe. The entry Ricerche has been identified as safe.
If the entry 'Ricerche ' is not needed anymore, it should be fixed.
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
Safe. The entry Messenger has been identified as safe.
If the entry 'Messenger ' is not needed anymore, it should be fixed.
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
Safe. The entry Windows Messenger has been identified as safe.
If the entry 'Windows Messenger ' is not needed anymore, it should be fixed.
O15 - Trusted Zone: www.adslconnection.name
Nasty This entry was classified from our visitors as bad.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O15 - Trusted Zone: www.archivio.name
Safe. If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: www.archiviosex.net
Nasty This entry was classified from our visitors as bad.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O15 - Trusted Zone: www.hastalavista.it
Safe. If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: www.otherchance.com
Nasty This entry was classified from our visitors as bad.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O15 - Trusted Zone: www.playitalia.com
Safe. If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: www.pornoaccesso.com
Safe. If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: www.redfunny.com
Nasty This entry was classified from our visitors as bad.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O15 - Trusted Zone: www.sgrunt.biz
Nasty This entry was classified from our visitors as bad.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O15 - Trusted Zone: www.skymasters.biz
Nasty This entry was classified from our visitors as bad.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O15 - Trusted Zone: www.softlab.name
Safe. If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: www.xxx-content.name
Nasty This entry was classified from our visitors as bad.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DC0EAE8-D2A4-4A73-8D03-090340EDBFA3}: NameServer = 85.37.17.55 85.38.28.93
Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.
Do you know the IP or Domain '85.37.17.55 85.38.28.93'? If not, fix this entry.
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (guard.exe) was identified as a good one.
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (KodakCCS.exe) was identified as a good one.
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.


This log has been checked automatically.
Check your log file automatically at www.hijackthis.de.

juninho85
08-09-2006, 21:41
Ciao a tutti
vorrei sapere una volta analizzato il log come devo procedere per eliminare i files infetti grazie.

"fix selected items"

Gandhi82
04-07-2007, 14:21
Nessun firewall attivo è stato trovato nel tuo sistema oppure stai usando un firewall a noi sconosciuto. Se non usi un firewall dovresti scaricarne uno oppure puoi attivare quello incluso in windows xp. In caso tu abbia perplessità o voglia farci inserire il firewall che usi nel nostro database, contattaci sul forum: www.hijackthis.de/forum

Possibile che non abbia attivato nessun firewall,uso quello di windows e mi risulta attivato

wizard1993
04-07-2007, 18:00
quello di windows non è rilevabile tramite hijackthis

Houdini87
15-09-2007, 14:29
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15.23.23, on 15/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel Audio Studio\IntelAudioStudio.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Logitech\Video\LogiTray.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\Winamp\Winampa.exe
C:\Programmi\QuickTime\QTTask.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Programmi\Microsoft Encarta\Microsoft Encarta 2007 - Premium DVD\EDICT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\MSN Messenger\livecall.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Windows Media Player\wmplayer.exe
C:\Documents and Settings\utente\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {bd0e4d83-654e-4213-965b-fcbe887061f4} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\WINDOWS\system32\iehelper3.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Programmi\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programmi\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [E07IXLRD_158781] "C:\Programmi\Microsoft Encarta\Microsoft Encarta 2007 - Premium DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Barra di ricerca di Encarta - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programmi\File comuni\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C40908A6-38C4-4035-9D11-7A7BC6C80454}: NameServer = 85.37.17.49 85.38.28.91
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7012 bytes


raga aiutatemi.....

juninho85
15-09-2007, 14:31
link (http://www.hwupgrade.it/forum/showthread.php?t=937676)

Houdini87
15-09-2007, 14:38
link (http://www.hwupgrade.it/forum/showthread.php?t=937676)

nessuno mi può aiutare??a trovare se ho qualche problema?

juninho85
15-09-2007, 14:43
nessuno mi può aiutare??a trovare se ho qualche problema?
li si

Houdini87
15-09-2007, 14:48
li si

siceramente ho letto ma ho capito poco...dato che non sono molto esperto del campo...quindi volevo una mano da voi sul sapere se ho problemi e come risolverli..dato che non riesco a capire i significati dei log anche se ho letto la guida(non riesco a distinguare se sono beningi o maligni)

juninho85
15-09-2007, 14:52
non ci siamo capiti...devi postare li

ste_95
20-10-2007, 08:49
per l'analisi tramite sito, ho provatoa d aggiungere alcune cose che non vedeva, ma mica le aggiungeva! è normale?:mad:

fabius00
30-01-2008, 13:29
Questa è una pag web con uno script x analizzare un log di hijackthis

http://hijackthis.de/index.php?langselect=english

basta copiare il contenuto di hijackthis.log nel box in fondo e premere "analyze" dopodichè avrete una analisi del vostro log.

- Attenzione xò che questo sistema è ancora in fase di sviluppo, quindi non riconosce ancora tutti i prog.

Ciao.

il link nn funge più :(

il mio log è


Logfile of HijackThis v1.99.1
Scan saved at 14.22.06, on 30/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\Programmi\Canon\CAL\CALMAIN.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\Eset\nod32kui.exe
C:\Program Files\GlobespanVirata\Adsl\dslstat.exe
C:\Program Files\GlobespanVirata\Adsl\dslagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\PROGRA~1\WIDCOMM\SOFTWA~1\BTSTAC~1.EXE
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\Last.fm\LastFMHelper.exe
C:\Programmi\Last.fm\LastFM.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\fabio\Documenti\utility\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tim.it/consumer/homepage.do
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\GlobespanVirata\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\GlobespanVirata\Adsl\dslagent.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Programmi\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Startup: Last.fm Helper.lnk = C:\Programmi\Last.fm\LastFMHelper.exe
O4 - Global Startup: BTTray.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{935E494C-562D-4F76-ADCB-E54E492BC25E}: NameServer = 193.70.152.15 193.70.152.25
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmi\File comuni\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FILECO~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programmi\Canon\CAL\CALMAIN.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Programmi\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Unknown owner - C:\Programmi\Ahead\InCD\InCDsrv.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Programmi\File comuni\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Programmi\File comuni\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Unknown owner - C:\Programmi\File comuni\Roxio Shared\SharedCOM8\RoxWatch.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: UPnPService - Magix AG - C:\Programmi\File comuni\MAGIX Shared\UPnPService\UPnPService.exe






cavolo mi si aprono delle pagine di firefox conn pubblicità!!!
ho usato adware ma nulla...

lancetta
30-01-2008, 14:13
il link nn funge più :(


sei nel posto sbagliato
se vuoi farti leggere il log da utenti esperti
http://www.hwupgrade.it/forum/showthread.php?t=937676

per l'analisi automatica
http://www.hijackthis.de/it

nuovoUtente86
23-03-2008, 15:45
In continuazione del post http://www.hwupgrade.it/forum/showthread.php?t=1707201 :
non ho il collegamento al desktop ne ho mai utilizzato l' installer in questione ma sempre e solo il .exe contenuto nell' archivio compresso scaricabile da sito.Come dicevo l' unica cosa che mi ritrovo è il programma installato nell' elenco Programmi e funzionalità(Gestione applicazioni in Windows XP).

xcdegasp
24-03-2008, 13:19
è normale, anche la 2.0.2 lo fa..

Stefy_MHR
04-07-2008, 18:10
Io non so come cancellare i file con il punto di domanda!:(

ShoShen
06-07-2008, 21:46
non devi cancellare necessariamente i file con il punto di domanda, stanno solo a significare che un dato programma, processo ecc non è conosciuto dall'analisi automatica
:)

Stefy_MHR
06-07-2008, 22:14
non devi cancellare necessariamente i file con il punto di domanda, stanno solo a significare che un dato programma, processo ecc non è conosciuto dall'analisi automatica
:)
a ok grassie... non si smette mai di imparare!:D

ShoShen
06-07-2008, 22:20
a ok grassie... non si smette mai di imparare!:D

di nulla :)

crespo81
08-07-2008, 16:53
Mi controllate questo?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16.24.08, on 08/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Programmi\Eset\nod32krn.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Programmi\ASUS\NB Probe\SPM\spmgr.exe
D:\WINDOWS\system32\svchost.exe
D:\Programmi\Synaptics\SynTP\SynTPEnh.exe
D:\Programmi\Eset\nod32kui.exe
D:\Programmi\ASUS\ASUS Direct Console\LCMP.EXE
D:\WINDOWS\ATK0100\HControl.exe
D:\Programmi\ASUS\Power4 Gear\BatteryLife.exe
D:\Programmi\Wireless Console 2\wcourier.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Programmi\ASUS\ASUS Splendid Video Enhancement Technology\ACMON.exe
D:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\ACEngSvr.exe
D:\WINDOWS\ATK0100\ATKOSD.exe
D:\WINDOWS\system32\msiexec.exe
D:\Programmi\Mozilla Firefox\firefox.exe
D:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
D:\Programmi\Lavasoft\Ad-Aware\Ad-Aware.exe
D:\Documents and Settings\Salvo\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ircdown.com/it/index.php?rvs=hompag&d=79919297
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SynTPEnh] D:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [nod32kui] "D:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DirectMessenger] "D:\Programmi\ASUS\ASUS Direct Console\LCMP.EXE"
O4 - HKLM\..\Run: [HControl] D:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [Power_Gear] D:\Programmi\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [Wireless Console 2] D:\Programmi\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ACMON] D:\Programmi\ASUS\ASUS Splendid Video Enhancement Technology\ACMON.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Programmi\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [Cleanup] D:\cleanup.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "D:\Programmi\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF42416D-086F-43F6-B175-D648C0DDB134}: NameServer = 192.168.1.254
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Programmi\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: spmgr - Unknown owner - D:\Programmi\ASUS\NB Probe\SPM\spmgr.exe

--
End of file - 6144 bytes

Grazie a tutti

Chill-Out
08-07-2008, 22:18
Ciao per il controllo del log di HJT devi postare qui http://www.hwupgrade.it/forum/showthread.php?t=937676 mi raccomando leggi le istruzioni in prima pagina su come allegare il log, ciao.

xcdegasp
31-08-2008, 00:24
tutorial di hijackthis:
http://hometown.aol.co.uk/jrmc137/hjttutorial/tutorial.htm

Dom77
24-01-2009, 16:38
tutorial di hijackthis:
http://hometown.aol.co.uk/jrmc137/hjttutorial/tutorial.htm

credo che sto link sia ormai inutile...

xcdegasp
18-05-2010, 09:54
Questa è una pag web con uno script x analizzare un log di hijackthis

http://hijackthis.de/index.php?langselect=english

basta copiare il contenuto di hijackthis.log nel box in fondo e premere "analyze" dopodichè avrete una analisi del vostro log.

- Attenzione xò che questo sistema è ancora in fase di sviluppo, quindi non riconosce ancora tutti i prog.


Mentre qui è disponibile un tutorial su HiJackThis:
http://www.bleepingcomputer.com/tutorials/tutorial42.html

Ciao.

Piccola nota informativa:
http://www.hwupgrade.it/forum/showpost.php?p=32012331&postcount=635

Glhardware
07-10-2014, 11:59
E ne esiste uno che ti analizza il file di Combofix?